The dreaded email arrives in your inbox: “Have you taken the security training yet?” As you start working through the phishing simulations and answering the multiple-choice questions, you can almost imagine someone sitting on the backend with a little clipboard waiting to put the checkmark next to your name.
Enterprise security teams have relied on more traditional approaches to train their employees on safeguarding against cybersecurity threats. Despite the fact that 82% of breaches are due to human error of company employees, many organizations continue to treat these annual or quarterly security trainings as a compliance checkbox. Once the user completes the training, the box is checked while the high cyber-risk behavior often remains.
Robert Fly and Masha Sedova knew there had to be a better way. So, in 2017, the two former Salesforce execs co-founded Elevate Security to help organizations address the one thing that was missing from their process-oriented systems – the human element.
Over the last twenty years, Fly witnessed security teams dealing with an endless onslaught of alerts and incidents, basically “security Whack-A-Mole.” Fly and Sedova initially set out to improve the system by automating the existing process, but that too wasn’t a solution – just another reactive approach.
Fly and Sedova needed to think bigger. That is precisely what they have accomplished by developing a solution(s) that provides risk levels for individual users. Today, Cisco Investments is proud to announce its investment in this forward-thinking proactive risk management platform.
Looking Beyond “One-Size-Fits-All” Training to Better Manage User Risk
Thinking about security solely as a training platform has always limited the traditional system’s ability to solve the underlying problem of risk-managing the users who are more likely to click on phishing emails, download malware, reuse compromised passwords and mishandle sensitive data. Employees often demonstrate vastly different risk levels rendering “one size” approach as severely underequipped.
“Many CISOs today think about managing user risk as a black hole where they really don’t see a return on investment,” says Sedova. “They know it’s a huge problem, and they try training employees before resigning themselves to it being a waste of time. Then, there are the forward-thinking CISOs who don’t see user risk as a standalone item, but instead, a way to optimize controls and spend while building transparency and communication within their workforce.”
The co-founders realized the resources to building a best-in-class insider risk management platform actually already existed. “Security teams have many resources at their disposal – access management controls, feedback and communication flows, which should be leveraged to better understand user risk,” says Sedova.
Elevate began to focus on the users and their individual assessed risk as a means of creating a proactive, personalized approach to identify those most likely to cause breaches.
This new approach has resulted in Elevate landing several marquee enterprise customers, including Equifax, Blue Shield of California, Atlassian and others. Many of the referrals have come via word of mouth from organizations looking to address what many CISOs consider “the biggest unsolved problem in cybersecurity today,” Fly notes.
By focusing on predictive user behavior, Elevate is able to protect organizations with proactively deployed automated controls and improved processes like personalized, near real-time feedback to users and managers, Human Risk Score™ employee assessments and increased visibility across the enterprise.
“Straight out of the gate, without deploying anything new, you can see benchmarked risk that you can use to make more intelligent and adaptive controls,” says Sedova.
Creating Safer Security Practices by Elevating People
For Cisco and Elevate, diversity takes a front and center seat for both companies’ culture and vision for the future. Cisco founded the Aspire Fund in 2020 to accelerate our investment efforts in diverse-led companies and venture funds – including ones like Elevate - and Elevate has always viewed diversity as a core value that’s integral to its growth.
“At Elevate, we rely on diversity as a strength,” says Sedova. “From the beginning, diversity has been a board-level metric that we report on an ongoing basis.”
Fly agrees, adding that when the co-founders started the company, they wanted to build a software reflective of a diverse employee base, one that the product was intended to protect and represent. He says, “We knew that if we wanted to start a company that was centered around employees, that we needed the company to match the employees that we were building the software to better protect and better represent. We knew we wouldn’t be able to do it well unless we actually set that out as a very specific company metric that we were constantly evaluating and making sure we made progress on.”
The industry took notice. After four years of building a diverse and inclusive work culture, Elevate received Best Tech Work Culture in 2021 as a small- to mid-size employer in Tech in Motion’s 7th Annual Timmy Awards.
What’s Next For Elevate
Looking ahead, the co-founders view Cisco as a “strong enabler” for Elevate.
“We’re super excited on this front because we see many opportunities to share intelligence, better understand user-risk, and help customers make more intelligent decisions dynamically,” says Fly.
Elevate’s co-founders are looking forward to the day when the true test of best-in-class compliance will center less around 100% completion of a training quiz designed to measure engagement and more around the actual risk management of the organization.
And as Elevate continues its journey of elevating people within security through both technology and cultural diversity, Cisco will be right alongside as a fuel propellant for the exciting trajectory.