On This Page

Expanding the Blue Team by Building a Security Culture Program

Masha Sedova and Marisa Fagan | July 30-31 & August 1-2


In 2012, Salesforce began a new approach to their security awareness program. The goal was to not only educate the company's employees about security, but also to make them care and invested in their part of securing the company. After a multi-step approach, the company continues to see increasingly promising results on phishing tests, trainings, and red team exercises. The steps included measuring key behaviors, expanding training with a Learning Management System, using gamification to reward employees, engaging high risk demographics with community building techniques, increasing training to developers with a Champions program, reviewing the internal communications plan, and rethinking the company mandated security awareness training. These are practices that can be incorporated into any organization. This course will give students the tools to customize these concepts to fit the culture of their company.

  • Defining company security culture
  • Measuring key behaviors and knowing your impact
  • Expanding the role of training using advanced Learning Management Software
  • Using gamification to reward employees and change behavior
  • Building sustainable communities out of groups
  • Identifying and recognizing Security Champions for key assets
  • Reviewing the internal communications plan
  • Rethinking the company mandated Security Awareness Training

Who Should Take this Course

Anyone who cares that their employees care about security.

Student Requirements

  • A high level understanding of the Vision and Mission of the company
  • A deep understanding of the behaviors and risks caused by employees

What Students Should Bring

All materials will be provided. There will not be a computer lab, but an internet-enabled device for web browsing and note taking will be helpful (but not required.)

What Students Will Be Provided With

Course materials and slides


Marisa Fagan is a security culture expert currently working within the Trust Engagement team at Salesforce. Her team specializes in enhancing the security presence in the company and increasing the security knowledge base of their employees. Previously in her career, she built communities in the Information Security industry around security research and vulnerability disclosures. She is the co-founder of several conferences and organizations bringing the InfoSec community together to share knowledge. Mrs. Fagan has been a presenter at DEF CON, Summercon, SecTor, B-Sides, and CactusCon.

Masha Sedova is the Senior Director of Trust Engagement at Salesforce. She has built a team that drives a secure mindset amongst all employees using user security behavior testing and data analytics paired with elements of gamification and positive psychology. The scope of her work runs the gambit of general awareness such as phishing and reporting activity to secure engineering practices by developers and engineers. She and her team have built security simulations, MOOCs, company-wide competitions, and custom lab environments to drive effective learning of vital security behaviors. Her efforts have culminated in a security program that is altering the way Salesforce's employees, customers, partners, and large corporations approach security. Prior to her work with Salesforce, Masha was the principal founder of Dymera Strategies Consulting where she conducted social engineering and security awareness training to international companies and government agencies based on tools, techniques, and methods of prominent cyber warfare actors. Masha has also worked for Northrop Grumman and BAE Systems as a cyber threat researcher.