So, first of all, introducing startup to such a broad audience, who's used to work in a company who is usually beyond 10,000 employees. And plus it is really like a different approach. I want today to introduce to you. So talking about the human factor, I guess it is always about culture, which is important. And we all know this may tougher, where we are talking about the human is the weakest link in the security chain, right? We, we always hear this and it is kind of true, I would say so, but it's like more important to understand what culture is playing in this role for this human factor role. And I want today to introduce a little bit more to like, first of all, in interaction to culture, what is culture, how people interact because of culture and how security is affected by that. So, first of all, you can find all my citations I do in the presentation.
So if there's a star, please make sure to check out the original source culture. So this is stated here is a pattern and shade, basic assumptions. So this is really interesting because when you look at the last words in the sentence problem, this is something security, most often deals with, right? Incident response. Think about that. And other stuff. And culture is the main influence. How people interact with problems, how people decide how to solve the problem, how to report the problem, or how to think and feel when problems occur. And it not always means to be an emergency, they need to call out or something like this problems is something which is really something that bothers people so much that there's sometimes understand that there's a problem. It might be interactive with them, but not active showing them to themselves.
So culture is a factor who gives you stability around you. If you have a common shared sense, what is going on around you with all the peoples around you, you feel like comfy, you feel like home, you feel like you belong to this group of people, but also it's about having the same patterning in decision making. So when you have friends around you, you have friendships. You have family, you are always more than certain that you will all come to the same decision when a certain problem arises or shows. And this is how culture in your company is really important. So you want to have a culture where you know that the people comes to a certain point to a certain decision, always the same, like 100% sure to this remediation answer. But this sounds not pretty easy, right? But it's not too easy because you have this human factor who is making this decision. It's not you, it's not the security department. It's the employees in the whole company. And this puts you to a high amount of risk, which you face on a daily basis.
So I work in a bank and most certainly you heard of Baffin or B I T if not, I can shortly explain, but basically it's authority putting out some requirements who makes sense most often, sometimes you feel like treated not so well by them, but certainly they do have some interesting facts around that. And I just put some, some facts in there. I, I read through the BIS, they actually run from 2021. And, but you can find, they also emphasize in a certain area of aspects, culture. They never use the word culture. But when you look at all the different areas, which is just example there, a lot of more, you see like knowledge sharing, which is this pattern, right? You want to share knowledge across people. You want to have senior management buy in so that someone who's making a decision also deliver rights, this decision making process to all other people so that they make the same decisions. You have this ation of duties. So you want to understand who plays, which role in the group of people you are interacting with. And this is just some examples. Okay? But we understand already that also the legal authorities are making their mind up how to implement a certain way of culture in our company.
So how can we now set up culture? So basically when it's written you, first of all window game, because now you have all the tests who can check, whether it's there or not. So this is something where it begins with, right? If it's not written, it's not existing. So you can put out frameworks policies, you can put out standards, whatever you want, but in the end, the human factor, the humans, the employee decides whether he or she reads this or not. And this is really about awareness. So how can I make all employees, like not only security department, not only our senior management, but also like the customer service support guys, the marketing guys and the data guys aware of the rules that we have, not only V but the B T the Mr. Risk, the B has put out for us. So now we are coming to the first problem. What we can see here. Usually what you see is not everyone in the company is reading policies. Basically. It's just a small amount of people who do so, but what can we do about this? So reading is basically even the first part, how you can share information with your employees. What, where you want to come over is like the last point training. And this is basically again, something that B is requesting you to do emergency plans and the exercise of it. So you want to make sure that people are aware how to deal in a certain way when a problem occurs,
But this is really expensive doing trainings. You cannot do it on every topic you cannot do in every department. You just are struggling already. When you do three exercises a year on really the main parts, this is a really huge amount of work. So what can we else do to put out the additional pull and push incentives there? And this is
The pull and push incentives. What drives me most at trade public? How I can introduce the security culture that really works. I mean, if it really works, the result will be shown in a different way. I, I can say it works, but you know, it not always meant to be so, so what is maybe for treasury public different to as, as, as being a startup to big companies is a size, it's the type of people who are working in this company and what we see here while we are trying to implement a security culture. I mean, we, we can basically read the B it's so tremendously good and just can implement it. But what we see here are people at young age, we see people who are like 30 years old on average, they have like up to five years off of professional years in experience.
And they have basically high influences around them, right? You, as I started there last year, we were like 120 employees. And I was sitting to all the other head of departments. So basically when you want to bring up a decision, you were just throwing your head to sight and, you know, you can talk to them. So this is where high responsibility teaches you to interact Fastly with all the other stakeholders you have around you. So there's a different way of how people work in a startup, just because of the surrounding of the BES they have around them. Some would say, I, I lost this. It sounds like chaotic, right? If you don't have too much processes on board, but I like to say it's more like on a less repeatable way of how to do your daily workload. Talk about, about trade public already a bit. This is like publicly known numbers, not too much
Insight numbers. So we have grown from 120 employees as I started there till couple of weeks ago, we headed to 600 employees and our customer base growth from 350 K September last year to over 1.5 million. So huge growth in this time of area. And also for the C to handle the first and second line of security, not only the customer's base is growing, but also the internal employee base is growing Fastly. So looking back on June and July, 50% of our whole company members still in their probation period, they never run like one or two or three awareness trainings as they're so young. So this is now how to talk to such young people, how to make them aware that security is important. And while that, by talking to them, trying to stick to the key business advantages you have as a startup, like already talked about low barriers, you can just throw ahead and talk to the other department and not have to write like emails and facts.
I don't know, to get in touch with the other departments. And I wanted to keep this business advantage it's because for the next years, it is really important to stick to them as long as possible. This was my major driving goal for implementing security culture. But on the other hand, we have problems again, let's last time talking about problems. Then I will tell you how I emphasize the security culture. So these are numbers from the BSE versus the bonus technique. And they put out numbers in their report for this year where you truly can see that not everyone gets too much into security. I like the first grade number, like 40% inform themselves about security inform themselves, meaning it includes on the internet, newspaper, your policies you put out there, and even 60% are get getting, not in touch at all with those information. And you need also to make them aware that while working in the company, especially for young people, they do not have such hyper risk. When they go home, they are now in a private space. It is totally interacting for young people, as they do not have like already a family, they do not have houses or stuff like this, where, where they shut down their head and go into, I dunno, card working. But basically at home, they check their emails again with their mobile phones. Even though you have now bring your own device policy in place and stuff like this.
So risk is really arising from our young people in startup. There are a lot of cortic stuff is going on. High responsibility is taking over from such employees and they're doing crazy decisions on a day to day basis. And even though they're getting teling targeting even more than in big companies, because of me, it is important to put up good spam filter from the first day, almost because I have so many other topics I need to work on. Maybe star spam is like one of the least important topics from the beginning, because I have to maintain the banking license. I have to talk to the auditors. I have to talk to the B and stuff like this. And still, this is something which is really important as you can see, is it spam in a company? The fishing in a company is really something which puts a human factor at a high risk. So while working one year at trade Republic, these are the key takeaways I would suggest, which makes our culture being different to kind of other companies.
So when I'm talking to the head of, to our senior management level, what what's really important from the beginning on what's for me is to make and trusted and honest relationship and trusted relationship is easy to call out, but they are crazy definitions about what is trusted relationship. It means that you empathize into the other one, that you understand what their problems are on a day to day business. So you need to think yourself, what business decisions are they doing? You need to understand in which business area they're working for. So you're not anyway talking. Technically when you're talking about customer service, you're talking customer service language. You want to achieve a high customer satisfaction score. You want to receive low ticket inbound again and again and again, these are the facts that drive those business stakeholders and S security guy. You need to understand and need to make yourself aware what their day-to-day challenges are. And then after you understand it, you can talk about the risk associated to this. You cannot talk about, yeah, you implemented in tool and they are now erasing risk. You already lost your stakeholder on this point. So making security, understandable and reasonable for their stakeholders, where you're talking to them is the most important part. You want to talk about risk. You want to talk about cost. If they do not do something, you want to talk about benefits, but they can have out of this. And then you can see when you have the buy-in from a senior management, from the leaders, they have like monthly, they have weekly, you can show up in these calls and just give yourself five or 10 minutes to make everyone aware that you are there.
We had one good example on February this year, where we put out a fishing campaign, basic stuff, three different scenarios, depending on which area we put out, this fishing scam. And we, we received like kind of industry standards for the response rate. But what really drives me crazy is that we only had two people. I, I don't know if it's much or not much, but those two people were clicking in it and putting their credentials on it. But the interesting fact about this after five minutes, they were reporting this to me. So their credentials, they're just five minutes at risk, and this is something you want to emphasize for the whole company. And this is the second last point, establish a failure culture. You want to allow failure, and you want to understand how they react. Remember, what is culture about, about problems, how they interact with problems. This is how important culture is for all the people that they come to. The same decision as you do. And security is not made up in the security department, but on your first line of defense, which are all the people out there and their decisions they do.
So you can imagine somehow like awareness of something like this in your company, in your head while you're growing fast. First of all, it's like really randomly, you are exposed. You have a lot of problems, but when you stick to this culture, implementing implementing rules and standards, you can come from this exploring path to a design phase. And the development phase and communication is key for this. You, as it CSO play to, to talk in a regular base to all your business stakeholders and to make them aware of the risks they own and how to treat them well. So we are now taking a look at the company, but also the regulatory authority is not doing so. And I guess this is something which will carry on for the future even further. So we, we are talking about security culture in our company, but have you ever think about our supply chain, I guess yes. In terms of technology and processes and availability and stuff like this, but about culture, have you ever checked up the culture in your supplier's company? So last slide before I stop here at this point, I guess this is one of my favorite sites I see from other Einstein. The world is not threatened by the people who are evil, but by those who evil make happen. Thank you.
