Every work place has its own security culture defined by the values, traditions, beliefs, interactions, behaviors, and attitudes of the group. Many companies have appropriately stated security policies and standards that are not reflected in practice due to the security culture of the office, or it is difficult to change the policies and standards due to the security culture. In this talk I discuss how to stimulate change in an organization. I will go through multiple real life situations and discuss my successes and failures to stimulate change. Some of the real life situations include getting the business to change requirements that are not secure, improving the level of security awareness in IT staff / programmers / code, changing security policies that hurt overall security, and more. I have statistical data on the efficacy of some of the methods discussed, and go through a post mortem on the failures to help others avoid the same mistakes.
Nancy Snoke currently runs her own cyber security consultant firm, MagickSecurity LLC. In the past she has been the senior software engineer responsible for web application security at PGAC, and a penetration tester for Cisco Systems. Nancy has previously spoken at Derbycon. She got her undergraduate degree in Computer Engineering at Tulane University, and her Masters in Computer Science at University of Illinois Urbana-Champaign.