Every week, Casey Cammilleri interviews an expert who is in charge of empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

We recently spoke with Lorenzo Pedroncelli, Senior Manager at RSA Security. Here are the top takeaways from the interview.

#1: Prove Identity, Protect Systems

“When you're talking identity, the most important thing to keep in mind [is] it does matter what system you use. Please use a good one. Please make sure whatever system you're using is well-reviewed, trusted, they have secure practices, they take care of their stuff. Use a good system.

“But outside of that, there are multiple good options out there. We all have strengths, we all have our weaknesses. And the important parts are, when you implement a digital security program or digital identity program, you are focusing on proving that that person is who they say they are. So that starts from, I mean, an early onboarding level. At the very beginning, when your employees get hired. How do you prove that the person receiving that first username and password is the person you hired?”

Actionable Takeaway: Use a trusted, well-reviewed digital identity system with secure practices. Focus on verifying identities during onboarding to ensure the right person receives credentials. This foundational step strengthens your overall security program and reduces risks from the start

#2: Raise Awareness with Open Communication

“At RSA, you're going to find things — and I do this. I did this at customer sites. I don't know how many of them kept it up, but things like brown bag open talks, where we just do an online Zoom call, or teams meeting over lunch where we're going to talk about a security topic or it might be an open floor to let someone else bring up their security topic because we're a security org.

“It's really just having regular communications and facilitating those connections so that everyone feels comfortable. It's to the point where even our top people, all those C levels, if they get those weird phishing emails, they'll forward them. They report them properly as phishing emails, but then they'll separately ping either myself or an incident response team member and say, I just received this one. Something about it is different. Could you just check?”

Actionable Takeaway: Host informal security discussions, like lunch-and-learns, to encourage open communication. Empower employees to report threats, even senior leaders, fostering a proactive culture. Building this comfort helps identify unique phishing or security risks promptly, enhancing your organization’s response capabilities.

#3: Build Relationships, Build Security

“Build good relationships and you're going to go far. I mean, there's not been anything I've found to be more valuable than being friendly and positive in security. I hate saying it because it sounds so cliche and it's like, oh, just be a nice guy.

“Genuinely. If you are nice to people and you're understanding of your employees and your users and you're there to help them work securely, not to stop them from working in a secure way, then everyone's going to make friends and it's going to get a lot better.”
Actionable Takeaway: Lead with positivity and understanding in security. Support employees in working securely instead of creating barriers. This collaborative approach builds trust, encourages compliance, and strengthens security practices throughout the organization, creating a friendlier and more secure work environment.

Listen to full episodes out now

For more information about Ahead of the Breach, please visit www.sprocketsecurity.com/aob-podcast. Episodes are available on all major podcast platforms.

Apple

Spotify

YouTube

We look forward to bringing you more conversations with actionable insights that help in your pursuit to protect your most valuable assets — and help clients do the same!