Building a Culture of Security

Some argue that successful information security is a matter of getting the technology right. Others contend that it’s more about training and education. I think both views are valid, but neither is complete. Good information security is about technology design and deployment, to be sure. But it’s also about people and the right processes being in place.

To get all these elements right, after interviewing countless developers, CIOs, CISOs, and others involved in enterprise security, it’s clear that good security will always be about the old trio: people, process and technology. Perhaps one day we will design secure, fool-proof technology, but that day isn’t in the foreseeable future.

In earlier posts, Continuous Security Monitoring in a Continuous World and Continuous Software Assessment for Highly Secure Web Applications we discussed how to keep deployed technology secure. In this post, I’d like to discuss part of the big topic of maintaining a culture that fosters a more secure organization. Here are some of what I consider the more important points, in no order:

Engage in earnest dialogue 

People always talk about the importance of having conversations between the business and security teams. When it comes to security risk management, enterprises have embraced a lot of bad habits over the years. Security managers get in the habit of immediately putting the brakes on new initiatives for fear of too much incremental risk.

Conversely, business groups and developers too often like to push new initiatives out into production without a security review, if they can get away with it. If they must get a security review, it’s pushed to the end of the process.

The teams can learn to work together better in a number of ways. The first is to get senior management to care about security. When executives make it clear that good security is a business objective, it’s a lot easier for these teams to find the motivation to work with, rather than around, each other. Another is to establish agreed-upon milestones and security reviews and to involve security early in the design phase of any new initiative.

Finally, building good social connections, by having lunch or participating in other social engagements, can go a long way to building lines of communication and rapport among team members.

Strive toward empathy

Nothing goes further in enterprise communications than understanding where co-workers are coming from: their business demands, motivations, challenges, and how you can best help them achieve their goals. Building empathy is a critical part of what we hear about DevOps, too. And DevOps is primarily about improving collaborative efforts. The same is true for security teams and other groups in the business. Security wants to reduce risk to a level the business deems acceptable, and developers and the business-technology teams want to build the systems the business needs to succeed. There’s a natural friction in these two goals, which makes empathy even more important.

Automate what can be automated

While empathy is important, so is maximizing time while also taking people out of the day-to-day equation when possible. This is achieved by policies, such as mandating a security check at certain development milestones, and automating that check within the QA process. Another would be when a new image is built it’s to be scanned for malware. These activities should be scripted into the process. No discussion.

Don’t boil the culture change ocean

Beware of deciding, unilaterally, that security teams, developers and lines of business will suddenly collaborate more and forcing it on everyone. That’s a good recipe for pushback and having roadblocks thrown up in your way.

Instead, culture will change by building empathy among team members, attaining as much executive buy-in for security as possible, and automating security policies. Not overnight. Not without pushback and challenges: but it will change.

Culture happens when the right environment is created and people within that environment want to improve, and see mutual benefit in that improvement. And this level of collaboration, empathy, and understanding about what it takes to build a secure enterprise is essential to doing so.