As more and more companies move towards cloud-native environments and remote work, it’s imperative that organizations establish a strong security culture. And an effective security leader should be cognizant of the challenges this involves. In my nearly 20 years as a security practitioner, I’ve had the opportunity to observe how security cultures are built at many firms, and I want to use this forum to share the lessons and takeaways I’ve gleaned.
What is a security culture?
A company that has a strong security culture embodies the tenet that “security is everyone’s job.”
First and foremost, what is a security culture? A company that has a strong security culture embodies the tenet that “security is everyone’s job.” Until every employee agrees with and acts as if security is a shared responsibility, it will be difficult to drive initiatives to raise the security bar. Below, I list a few factors that many companies with strong security practices have in common.
The CEO supports security initiatives and growth
This may seem obvious, but it’s worth underscoring: Often, the single most important predictor of success for any security initiative is that the CEO considers security a top priority. Many CEOs will claim to value and support security initiatives, but I recommend you pay attention to actions, rather than words. If there’s a security issue that needs to be mitigated, are you able to bring it up the chain so that a mandate can come down from the top? Is there a response when an issue escalates, or do higher-ups attempt to sweep the mess under the rug? Or, worse, do they downplay the severity of the issue? Moreover, do you get the sense that the entire organization is held accountable for security? It’s difficult to build a strong security culture without that fundamental support.
Security and engineering have a collaborative relationship
The security team can triage vulnerabilities, but in order to mitigate them and issue fixes, a collaborative working relationship between the security and engineering/development teams is essential. Far too often I’ve seen CISOs and other security leaders silo their organizations from engineering and development. This won’t help when it’s time to prioritize a security relegation over other deliverables. Plus, if the organizations are siloed, it can be challenging to establish a collaborative and cooperative working relationship in the first place.
Offer constructive alternatives, rather than just saying "no"
This is hands down the most common negative perception other organizations within tech companies have of security. At this point I’ve lost count of how many individuals have told me that security teams impede progress. Of course, it’s almost impossible to make security frictionless, since it often requires adding steps to workflows in order to reduce risk. However, a capable security team is able to weigh the inconvenience of those additional steps against the security benefits and minimize process slowdowns by only implementing what’s truly needed. This also plays into the security culture aspect of a company: The more aware team members are of security risks, the more likely they are to accept that these added steps are beneficial to the company as a whole.
Build security automation
To reduce the number of processes that get slowed down by security requirements, it’s imperative that security teams automate as many of the manual steps as possible. For example, if a process requires approval, create a mechanism by which the engineering team can submit a request without having to reach out to anyone manually. If there’s a violation of a security policy, automate the mechanism that detects the violation, automate the alert on that infringement, and automatically open an issue to assign a team member to resolve. This will also help the security team scale. Over time, automation will ease and refute much of the belief that security stalls other work.
Cultivate a friendly environment where no one is afraid to go to the security team to ask about a scenario that they’re unsure how to handle.
Be an educator and ambassador for security
The security team should be at the forefront of evangelizing best practices and should always be educating the rest of the company about the impact of those procedures, without chastising others for missteps. In addition, security teams must provide practical guidance, in order to raise the bar on security company-wide. Cultivate a friendly environment where no one is afraid to go to the security team to ask about a scenario that they’re unsure how to handle. This is much harder to do than it sounds, but it’s important to avoid perpetuating stereotypes of standoffishness, and for security teams to see themselves as teammates and collaborators rather than opposing forces. One of the best indicators of a security team that’s cultivated a security-friendly environment is when non-security employees start to independently suggest better mechanisms. This type of proactivity should be encouraged—because, as I’ve stated already, security really is everyone’s job.