Company culture is a phrase that means different things to many people. From the company mission statement to the performance of a team, culture is often an amalgamation of leadership values and individual employee contributions. Security, and its many variants (cybersecurity, infosec, et. al), isn’t always a word associated with “culture”. But in today’s digital landscape, it absolutely should be.
Building a successful company culture often comes down to three elements: people, processes, and technology. A lot of education out there today emphasizes processes and technology, but effective security cannot be achieved without an organization-wide dedication to security. This is where people come in. From top-down to bottom-up, the best security cultures weave all three of these elements together equally. Here’s how:
1. Align security with business value
In order for security to be successful across an organization, it must permeate from a top-down strategy. This starts by aligning business-wide goals with the goals of security: to impact profitability, productivity, and brand reputation. From here, leadership can more effectively map security functions to each team, process, strategy, and technology.
Security and compliance are often big drivers in winning enterprise deals. Many large companies can only do business with companies compliant with HIPAA, SOC2, PCI, and so on, meaning sales are directly impacted by security efforts. Gaining employee buy-in can be achieved in many organizations by aligning security measures with winning deals.
2. Empower everyone to become security advocates
While a top-down approach to creating a culture of security ownership is crucial, building a bottom-up approach that involves and excites middle management and individual practitioners to participate is equally important. These advocates can champion security initiatives within not only their departments, but organization-wide as well.
There are two traits to look for when searching for advocates:
- Those that have an interest in security, such as security-minded developers. Becoming a security advocate is a natural extension of what they’re already doing, so they are, quite often, the easiest people to get on board.
- Those who understand the business value of security, such as a VP of Engineering or CEO. It is their job to keep the business growing up and to the right, so they know and feel the organization-wide impact of securing infrastructure, ensuring customer confidence, and meeting industry-mandated security standards.
Once you have established security advocates, it’s important to assign them particular tasks for clarity, alignment, and accountability.
Secure coding practices are a great example. As a company grows, the task of enforcing best security engineering practices can quickly balloon out of control, but with security advocates designated across the organization, these policies can be better implemented and enforced, even at scale.
3. Train teams and give them the right tools to succeed
An informed organization is one of the most important defenses against attacks. Workforce training starts by communicating how security can protect the company and why that matters. From there, you can begin to implement processes and policies to put company-wide security initiatives into action.
The best way to ensure that these are effective is to implement systems that are both practical and seamless to everyday workflows. To do this, the right tools need to be leveraged. This is where security automation comes in, giving you all of the benefits of security protections without the overhead that can burden your employees.
A great way to conduct security training is by simulating real-world attacks. It’s not enough to present a slide deck on the dangers of today’s cyber attacks. That’s when employees fall asleep. Instead, demonstrate what a real attack looks like (from suspicious links to stolen credentials) and provide on-the-spot training for how to respond if someone falls victim.
Don’t blame or point fingers. Instead, provide your team with the tools they need to be effective, including Slack scripts to alert on issues, training on two-factor authentication with the likes of Duo Security, data backups and encryption, and, of course, password management apps such as 1Password.
4. Gamify initiatives and measure the results
Summary reports, bar charts, progress bars, you name it! While using the reporting format of your choice, show off the value security is creating for the business so that your teams can see how their work is making the organization safer. This is where gamification of security can have a huge impact.
Some examples of incentives include:
- Internal bug bounties, where employees who find security bugs get a bonus
- Friendly competitions where teams that respond the fastest to security events receive public acknowledgment and/or a bonus
Here are a few options for reporting the results of security work:
- Dashboards that shows how many attacks were blocked/stopped
- Dashboards that show improvements in code quality over time (using tools like Coverity to measure stats such as vulnerabilities reported)
- Leaderboards to show how quickly teams are resolving reported security issues
5. Create an open feedback loop and implement constant improvements
Security is never a set-it-and-forget-it thing. At Komand, we’re always hungry to improve our practices, and we encourage you to do the same in the form of continuous updates and policy improvements to keep up with the latest threats.
Do this by listening to your teams. What is working? What isn’t? What can be improved upon? This feedback loop ensures that security processes and technologies in use are in fact effective, useful, and easy to use.
Here are a few effective ways to receive and respond to team-wide feedback:
- Create an email address dedicated to receiving employee recommendations for improvements
- Encourage suggestions during team-wide meetings
- Have an open-door policy to encourage external team members to give security leaders feedback
- Use a wiki or Trello board for submitting requests
With feedback and real-world learnings from your security program, you can continually improve your security posture.
Implementing your culture of security ownership
A culture of security ownership doesn’t just depend on the security team, but on the company as a whole. By embedding an organization-wide approach to security, one that aligns security measures to business value, integrates security advocates, provides realistic training, rewards and enforces security efforts, and is able to ebb and flow with the needs of the teams, you can create a security culture in which everyone plays a part.