Security Culture: When Are We Really Creating Change? with Marisa Fagan
Welcome to the written recaps of the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today, I'm joined by Marisa Fagan, a lifelong community builder and security culture enthusiast. As the Head of Product at Katilyst, Marisa leads the development of security champion programs that empower Security Champions to drive cultural change.
Previously, she served as Head of Trust Culture & Training at Atlassian and has managed security programs at Synopsys, Salesforce, and Meta.
Marisa is also an active contributor to the OWASP Security Champions guide.
In this episode, we'll dive into some of the questions Marisa didn’t have time to cover in her talk "The Four Tribes of Champions" at BSides San Francisco.
We'll also explore how security culture programs must be tailored to different teams to succeed, how to reboot struggling programs (often caused by disengaging training content), and why passion often outweighs technical skills for roles like these.
Dive right in!
Frameworks for Security Culture Programs
When it comes to structuring security culture programs, Marisa emphasizes the importance of a clear, adaptable framework.
She explained, “We as security practitioners want there to be like a very cut and dry answer to these questions… but when you're dealing with people and culture programs, it's rarely so cut and dry.” Instead of a one-size-fits-all approach, Marisa proposed a customizable structure using a "magic quadrant"-based model. This approach categorizes programs based on their focus areas (detection, response, awareness, etc.) and their target audience (employees vs. developers).
"I put together a kind of framework to give some structure to these culture programs and to give people a way to categorize examples. And so I created a kind of a sort of a magic quadrant style diagram where we have on one side programs for security culture that are focused on detection and response or they're focused on corporate security, security awareness for all employees and then on the right hand side of this four quadrant diagram we have programs that are designed for developers that really focus on application and product security for kind of a subset of the company.
And then, of course, in quadrants, we need our top and bottom. I have the top is really tactical practitioners that are doing security practices. So practices such as threat modeling practices, such as reporting, reporting phishing, reporting strange behaviors, those things that have workflows that are designed for employees to participate. And the bottom quadrants are more learning focused. They are participating through taking trainings, doing CTFs, Security Awareness Month, those sorts of things that really build a community. And the point of the talk really was to say that there's no one way to do a security culture program."
Her model highlights the need to tailor security culture programs to different organizational needs. “There’s no one way to do a security culture program. There are simply more elaborate, defined charters and less defined,” she notes, reinforcing that flexibility and structure can coexist in security culture initiatives.
Maturity and Management of Security Culture
One of the key factors that influences the success of a security culture program is organizational maturity. Marisa points out that “maturity of a company and size of a company” don’t always correlate:
"It's funny, there's a distinction between the maturity of a company and the size of a company. And people often assume that larger companies get more mature as they grow larger. But that is actually almost the opposite of what happens. The more people you add to a program, the more indoctrination and onboarding and growing you have to do of those people, and it becomes more complex and actually less mature as you lose your coverage of these really strict structural programs that you've put in place. So I would not say that the most mature companies I have seen are actually your largest companies, like Salesforce, Google, or Meta. There's a lot of variety there as well."
Rather, Marisa highlights that the most successful programs often have dedicated technical program managers. These professionals “own a program for security awareness” and are essential for driving meaningful change across the organization. Marisa further emphasized that these managers should have excellent communication skills to bridge gaps across teams:
"If we look at the study done by SANS, that they put out about the maturity of security awareness programs, what they have found is that the most mature programs are actually the ones that have teams associated with them. So, a really good start is a security technical program manager who owns a program for security awareness. And the same is true for security champions, whether that's for an awareness program or a developer relationship. So one technical program manager or a security product engineer that is a person who is dedicated to running this program, is a very important first step. And it can be a part of a larger team, a really successful place to put a person like this is in the product security team if they're a developer relationship manager. But it doesn't have to be that way. You could have this dedicated program manager resource sitting in any part of the security org but they need to have access to the rest of the company. "
Marisa has found that it's most successful if your technical program manager is senior level and if they have the communication skills and the passion to really drive programs, initiatives across the entire company:
"So these are people who are excited about presenting in front of leadership. They're excited about building bridges and cross-team collaboration. And so those sorts of things are really important skills to have and experience to draw from in order to have a successful program owner."
“Passion is more important than technical skills,” she states when discussing the ideal qualities of a program manager. For her, the role is about enabling others to take ownership of their security responsibilities. “It’s not about doing the security roles for everyone else… It’s enabling.”
Referenced: SANS 2023 Security Awareness Report: Managing Human Risk
Metrics for Measuring Security Culture Success
Marisa suggests that metrics are essential for assessing the success of security culture programs, but they must go beyond traditional security measures. Instead of focusing solely on the technical aspects, she advises organizations to track metrics across three key areas: people, process, and technology. “A people metric could be like training is completed by 100% of your population,” she explains. “The process metric could be a workflow being completed every time. You know, when somebody opens a ticket, those tickets get closed in. 24 hours or seven days, whatever you need that process to be. The technology element might be a scanning tool that has its own metrics, whatever that may be: You have a number of events or a number of instances, a number of tickets, a number of vulnerabilities.”
She has seen companies do metrics so differently across all of the organizations that it's hard to be prescriptive.
And she doesn't stop there. For a metric to truly matter, it needs to resonate with leadership. “Your metrics should look like everybody else's metrics,” Marisa advises. “If you can put a metric about security champions into the CTO's leadership dashboard, this shows the impact of the security posture of the company… this is a real multiplier for the success of all of the teams.”
Here are some examples of how to translate these metrics mentioned by Marisa:
"The one metric that comes to mind is training. So training is often the first place people start because you have this great platform that measures the concepts. So it can give you a kind of knowledge number, and it gives you coverage. So it'll tell you how many times, how many people are taking the training. And so in order to make it valuable, you should, I think, focus on the kinds of knowledge numbers. So in simple terms, that would be like quiz scores, but you could, you know, explore your LMS (Learning Management System) and find out how they're delivering a more nuanced number than just quiz score percentages. But then just, you know, tell that story, how that is a example or a symbol of the security knowledge in the company, and that translates into security posture.
And then another - happy medium between the ability to track and the story that it tells is tracking how many times security practices have been completed. So threat models, how many times are those done? And you can kind of add to that as you travel around your company, you'll find more examples of security practices that can be tracked either through tickets or maybe the tools themselves has usage data. But anytime that you have a tool that is being used by a team that isn't the security team."
Rebooting Failed Security Programs
One of the toughest challenges for any organization is rebooting a failed security program. Marisa recognizes that it’s a delicate process. “Starting over again is a difficult question because it is an emotional one,” she admits. Reflecting on her own experiences, she believes that the first step is to bring in new energy, perhaps through fresh leadership or a different perspective. "The easiest way to start over again is someone new comes to the team and they didn’t go through that heartache of what they feel like was a failure before."
However, she stresses the importance of conducting a retrospective to understand why the program didn't take off in the first place. She advises companies to ask themselves the “five whys” in order to get to the root cause: “Why did no one take the training? Why didn't they think it was good enough? Why wasn’t it good enough? Why was it important in the first place?”
That last one is really the heart of things:
"We say things need to happen that actually just don't need to happen. If you spend 10 years at a company that hasn't been doing it up to this point, are those impacts actually happening? It's not. It's not a good prioritization to say that we should be training people on things that are more than 10 years away from happening. You know, it's a once in a hundred year thing. This is all just classic risk management prioritization. You can't train everyone on everything. You need to be ruthlessly prioritizing... Have a startup mindset."
To further assist in rebooting a program, Marisa recommends reviewing the Top 10 Blunders that often derail security programs. These common mistakes, outlined by Marisa in her blog on Katilyst, can serve as a helpful guide when assessing a program's weaknesses and areas for improvement.
One of the primary reasons security culture initiatives fail, according to Marisa, is when the content doesn’t resonate with employees:
"To put it in simplest terms, that training content and the practices that you're asking people to do don't feel relevant or important enough for people to prioritize. That's real, like those people are making that decision and you can't really force them to be motivated by something that isn't motivating them. So you sort of need to accept that as a fact that while you thought it was exciting, it wasn't broadly exciting to enough people."
Engaging, relevant, and relatable content is essential for a successful program restart.
Phishing Training Example
Marisa gives the example of phishing training to demonstrate how ineffective, unengaging content can lead to failure. "Phishing simulations have this problem more than any because they don't really cross the threshold of feeling important to people. People don't understand why they have to go through the troubles you're asking them to go through." The training, often perceived as tedious or irrelevant, becomes a chore rather than an essential part of the organization’s security culture.
Instead, Marisa suggests approaching phishing training (and similar initiatives) with a compelling “why” to make it meaningful. “If you can’t tell a persuasive story, don’t do it,” she advises. When employees understand why these practices are important for their own security and the company's protection, they are more likely to engage with the training and take it seriously.
"So that's the first thing that my industry has really had to come to grips with is we were not telling the story of why our trainings were providing value. They were right not to give us traction on those things. They were not good enough."
Zero Trust and Its Cultural Implications
The concept of zero trust has gained significant attention in the security world, but Marisa raises an important point about its cultural impact. She describes zero trust as a branding issue, stating, “Calling it zero trust is just a branding nightmare. It’s zero trust of your employees. Great.” Instead of alienating employees with this negative terminology, Marisa suggests reframing the conversation. “Can we call it something different? Full support? Not zero trust?”
The key takeaway here is that zero trust shouldn’t be framed as a restriction but as a tool to empower employees and protect them. With the right communications plan, zero trust can enhance security while building trust with the organization’s people. Marisa further explains, “You can't just roll out technology without having a communications plan to people about how it works. If you do have the communications plan, and it's a positive spin, and it shows how you're supporting your employees and making their jobs easier and better, then I think absolutely that is the way to go.”
Final Thoughts
Building a strong security culture isn't a one-time fix. It's an ongoing process of adaptation, communication, and engagement. My conversation with Marisa highlights how critical it is to approach security culture with flexibility and passion, rather than relying solely on technical solutions! Whether it’s ensuring your security champions are empowered, creating compelling training content, or rethinking your approach to zero trust, it's clear that success comes from understanding the people behind the systems.
As Marisa so well puts it, "If you can’t tell a persuasive story, don’t do it". At the heart of every successful security culture program is a story - one that resonates with people and makes them feel part of the mission to protect the organization. So, whether you're rebooting a failed program or rolling out a new initiative, make sure your message is clear, engaging, and rooted in why it matters. After all, security is only as strong as the culture that supports it :)