Creating A Security Culture
Security is everyone’s responsibility. It is not something that just happens overnight. Building a truly secure organization requires more than checklists and policy documents; security must be baked right into the company culture. Each team member needs to consider security in their digital work lives.
Unfortunately, security departments often get a bad rap of being the Department of NO. So instead, let’s explore a few ways to become the Department of YES securely. It can be broken down into the following categories: Improving communication, Planning, Finding security champions while Improving visibility and feedback.
A healthy education is important in regards to the creation of a security culture. This doesn’t need to be a tedious experience for everyone, though. Short, easily digestible 3 to 5-minute monthly training is a highly effective solution that doesn’t take up a large chunk of everyone’s days. Furthermore, doing it monthly keeps security at the forefront of everyone’s mind.
There needs to be open communication and accessibility. Having options for communication such as Slack, Teams, and Zoom can bridge the gap. In addition, providing opportunities for communication such as office hours or whiteboard sessions on a particular topic relevant to the organization (like discussing 3rd party provider best practices) invite discussion and proactive questions in a completely non-confrontational manner. This is an excellent forum for reporting suspicious-looking emails or asking other pertinent questions.
There is a real value to having a shared language, which education can achieve. In addition, educating teams on information security is one of an organization’s most important investments in its employees. Benefits include reduction in errors, enhancing company-wide security, and increasing compliance.
When future breaches occur where the company’s reputation is at stake, having company-wide best security practices in place help alleviate the damage done, saving both time and money in the end.
Watch the Full Replay of This Session from INS1GHTS2021: Build the Better Future
Watch Ryan Davis’s full session, Operation Security - Forging a Secure Organization through Partnership, visit our replay hub.
There needs to be adequate security representation looped into future planning and organizational changes. But, again, this is much easier when done from the get-go, whether around creating new products, altering company strategy, or adopting new policies.
The earlier security is included, the stronger the result will be. This also prevents the endless headache of going back and re-work security into these plans. Have security representatives in the control board and architecture consoles policy review board. This prevents any surprises from arising in the future.
One highly successful security protocol example is TSA’s ‘See something, Say something.’ It did an excellent job of putting the onus on everyone to participate for the greater security of all.
This can be a great model for companies to follow, too, since it’s not always possible to have full-time security representatives in all facets of a company. Security teams tend to be small compared to the rest of an organization. The solution can be as easy as encouraging individuals with security interests and essentially deputizing them on board. Of course, offering incentives can go a long way here. There needs to be a sense of team, a method for these deputized volunteers to distinguish themselves and be recognized as having gone above and beyond. One option is offering training to anyone with a high level of interest. Another healthy option is opening a forum to highlight success within the organization. Security champions are another crucial piece to building up a strong security culture.
Visibility & Feedback
Giving feedback is another excellent way to build a security culture. To train your team effectively, provide the right level of education, paired with gentle, friendly reminders. Having multiple options can work as well, from a simple email reminder or quick Slack conversation to reset a password for security’s sake. These small bits keep people in the loop.
Providing transparency on policy is important as well. It allows and encourages candid feedback. In addition, it’s beneficial to reward good behavior. Incentives around doing the right thing lead to higher levels of good conduct. This could be as simple as creating an internal leaderboard, where people who pointed out a certain amount of phishing emails in Q1 receive a prize.
Security needs to be transparent. Expectations shouldn’t come across as a surprise. It’s also important that your customers are granted visibility into what you do as a security organization. Again this transparency builds in honest feedback by creating an atmosphere where everyone feels they can give honest feedback.
Provide mechanisms for this feedback. For example, dashboards are a great way to provide teams with visual feedback on how they are doing. Another option is a virtual, anonymous dropbox, where people can share things that concern them or seem off. People may feel more comfortable reporting or asking questions by making it anonymous, which is very useful.
Security teams cannot secure an organization totally on their own. Each team member must be helping out, ensuring baseline security knowledge across the board. Above all else, collaborate!
To learn more, check out the following resources: