Three Steps You Can Take to Give Your Security Culture Superpowers Inspired by the Marvel Universe


by Amanda Fennell

Amanda Fennell. CSO & CIO of Relativity

The echoes of 2020 have reverberated into 2021 with another record-breaking year for data compromises. According to The Identity Theft Research Center the number of publicly-reported data compromises through September 30, 2021 has exceeded the total number of events in full-year 2020 by 17%. This year, we’ve seen that no business or industry is exempt from being the target of a cyberattack, including notable attacks on major universities, police departments, law firms and medical institutions.

To combat this, enterprises continue to turn to the latest and greatest security tools to prevent themselves from being compromised but oftentimes ignore the one element most at-risk for a breach: their employees. Just this past year, the largest security breach was due to an employee creating the password “solarwinds123”. In 2020, phishing scams were a leading point of entry for ransomware, constituting up to 54% of digital vulnerabilities. Poor user practices and lack of cybersecurity training were also significant contributors, both of which are closely related to interaction with phishing messages.

As we enter a new year, organizations must take a new, people-centric approach to how they can improve their security postures if they want to prevent 2022 from being another record-breaking year of cybercrime. It is time that the people within your organization become the strongest link in your security chain. To do that, it’s essential that you train and equip them with the security knowledge and tools they need to be successful. People are an organization’s most powerful secret superpower. Below I’ve outlined three steps your organization can take in 2022 leveraging some of the best Marvel movie quotes to ensure they are memorable as you build a better security culture within your organization:

  1. “Just because something works, doesn’t mean it can’t be improved.” – Shuri, Black Panther Make security awareness ongoing and consistently test your employees. Consistent education, training and good technology is vital to ensure that employees—and company—don’t fall victim to a cyberattack. For example, although phishing attacks can be simple in nature, the sheer scale on which phishing campaigns are executed makes it the number one threat for employees. This is why organizations should build in a phishing training and simulation course into onboarding trainings for new employees and consistently test both new and old employees with a consistent cadence of phishing simulations throughout the year to strengthen and refine their phishing awareness and reporting muscles. Following implementation of these tactics at Relativity, we saw a 40% drop in terms of employees taking incorrect actions and consistently see a sub 3% “hook-rate” on employees in our monthly phishing simulations. According to Proofpoint’s 2021 State of the Phish Report, the average failure/hook rate across organizations that participated in the study was 11% in 2020.


  1. “I can do this all day.” – Steve Rogers, Captain America: The First Avenger

Hold employees accountable to uphold a strong security posture. All employees at all levels of an organization should feel a sense of responsibility when it comes to safeguarding their organization against a cyberattack, from the CEO to the summer intern. It just takes one employee to make one mistake to expose your company to significant cyber risk. It’s important that everyone plays an integral role in keeping your company’s data secure. Security teams should cultivate a culture of personal responsibility so that employees treat security in the same way they approach any other company policy. To do this, develop a defined number of key security behaviors that are tangible for employees to learn and intuitively incorporate into their day-to-day work:

  • If you see something, say something. Encourage employees to immediately contact the security team to report suspicious behavior. Timely reporting of an unusual email or event may be the difference between your company’s network and security infrastructure withstanding an attack rather than succumbing to a zero-day exploit.
  • Think before you click. Educate employees on signs they should be on the lookout for that indicate a communication or hyperlink is not legitimate and if something doesn’t look or feel right, report it immediately.
  • Create long, strong passwords. When it comes to creating strong passwords, the single most important factor is the length. You can boost the robustness of passwords within your organization, by setting a minimum character length. The longer the better – think 20 characters or more. Additionally, when a service supports it, enable 2-factor authentication. There are three factors total: something you know (a password, a PIN number, etc.), something you have (a hardware token, a software token that runs on your cell phone), and something you are (a biometric signature, like a fingerprint, hand geometry, iris print, etc.). Using a second factor makes compromising a password of no value to criminals.
  • Be aware of surroundings – whether at the office or working remotely. Remind employees to remain vigilant about keeping their devices locked, using caution while browsing the internet and accessing business data with personal devices whether in office or working from home. While working remotely especially, without the safety net of an organization’s IT team’s closely guarded network to catch employees if they make a misstep, their everyday choices require more caution than ever.


  1. “It’s not enough to be against something. You have to be for something better.” —Tony Stark, Captain America: Civil War Empower employees to become security guardians of your cybersecurity galaxy. It’s not enough to just expect security and IT teams to be security advocates, that’s why at Relativity we created a Security Guardians Program to better educate and engage employees. Our Security Guardians Program has three tracks, allies (all employees), ambassadors (customer facing employees) and champions (engineers and employees in other technical roles). The program offers three Certification Crests (Bronze, Silver, Gold) upon the completion of each track. To encourage participation in completing certifications we hold contests and award prizes. Since launching the optional program in December of last year, 48% of employees have completed at least one course.

People are an organization’s number one security risk, but they’re also their greatest superpower. I firmly believe that if organizations put forth a deliberate and ongoing effort to improve security culture by maximizing people’s potential through creative and compassionate education, meaningful use of technology and process and the conviction that there is room for taking risk in security, the benefits will be felt everywhere across your entire security chain. The stakes are higher than ever, and organizations can’t risk not to invest in educating and empowering their employees to be security superheroes.

No mistakes. No do-overs. Look out for each other. This is the fight of our lives.” –  Steve Rogers, Avengers: Endgame


About Amanda Fennell

Amanda joined the Relativity team in 2018 as CSO and her responsibilities expanded to include the role of CIO in 2021. In her role, Amanda is responsible for championing and directing security strategy in risk management and compliance practices as well as building and supporting Relativity’s information technology. She also hosts Relativity’s Security Sandbox podcast , which looks to explore and explain the unique links between non-security topics and the security realm. In season 2 of the podcast premiering in January 2022, the theme of the podcast will be “the power of people” diving deeper into themes explored in this article about how people are an organization’s greatest security asset.