Everyone knows how crucial security is and how it must be embedded into everything an organisation does. A simple glance at the news provides details on the data breach of the day tied to an application security vulnerability. Take a stroll to the Information Security department and you’ll hear about the latest blunder an employee made that resulted in lost data. Security is widespread and mainstream, but security culture has not kept pace with the threat landscape.
Culture is what happens when people are left to their own devices. This applies to security culture if we inject “with security” into that definition:
Security culture is what happens with security when people are left to their own devices. Do they make the right choices when faced with whether to click on a link? Do they know the steps that must be performed to ensure that a new product or offering is secure prior to ship?
Building a healthy security culture
An organisation’s security culture requires care and feeding. It is not something that grows in a positive way organically. You must invest in a security culture. A sustainable security culture is bigger than just a single event. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever.
A sustainable security culture has four defining features.
- First, it is deliberate and disruptive. The primary goal of a security culture is to foster change and better security, so it must be disruptive to the organization and deliberate with a set of actions to foster the change.
- Second, it is engaging and fun. People want to participate in a security culture that is enjoyable and a challenge.
- Third, it is rewarding. For people to invest their time and effort, they need to understand what they will get in return.
- Fourth, it provides a return on investment. The reason anyone does security is to improve an offering and lower vulnerabilities; we must return a multiple of the effort invested.
A strong security culture not only interacts with the day-to-day procedures but also defines how security influences the things that your organisation provides to others. Those offerings may be products, services, or solutions, but they must have security applied to all parts and pieces. A sustainable security culture is persistent. It is not a once-a-year event but embedded in everything you do.
Why does an organisation need a security culture? The primary answer is something that deep down we all know. In any system, humans are always the weakest leak. Security culture is primarily for the humans, not for the computers.
The computers do exactly what we tell them to do. The challenge is with the humans, who click on things that they receive in an email and believe what anyone tells them. The humans need a framework to understand what the right thing is for security. In general, humans within your organisation want to do the right thing—they just need to be taught.
Luckily, wherever an organisation sits on the security culture spectrum, there are things that can be done to make the culture better.
1. Instil the concept that security belongs to everyone
Many organisations have the opinion that the security department is responsible for security. Sustainable security culture requires that everyone in the organisation is all in. Everyone must feel like a security person. This is a security culture for everyone. Security belongs to everyone, from the executive staff to the lobby ambassadors. Everyone owns a piece of the company’s security solution and security culture.
We often hear customers say, we are trying to change our employees’ security stories. By creating programs catered to region, department, and role, our people understand that security is part of their story and our culture.” This is an example that shows that they truly believe that security belongs to everyone and bakes security into everything they do.
You can achieve this “all in” mentality by incorporating security at the highest levels into your vision and mission. People look to these things to understand what they should focus on. Update your vision or organisational objective to clearly articulate that security is non-negotiable. Speak about the importance of security from the highest levels. This does not mean just the people who have security in their title (CISO, CSO), but also from other C-level execs all the way down to individual managers.
2. Focus on awareness and beyond
Security awareness is the process of teaching your entire team the basic lessons about security. You must level set each person’s ability to judge threats before asking them to understand the depth of the threats. Security awareness has gotten a bad rap because of the mechanisms used to deliver it. Posters and in-person reviews can be boring, but they do not have to be. Add some creativity into your awareness efforts.
On top of general awareness is a need for application security knowledge. Application security awareness is for the developers and testers within the organisation. In your organisation, they may sit within IT, or they may be the engineering function. AppSec awareness is teaching the more advanced lessons that staff need to know to build secure products and services.
Awareness is an ongoing activity, so never pass up a good crisis. Bad things are going to happen to your organisation, and many times they will be tied directly to a security problem. Grow your security culture with these teachable moments. Do not try to hide them under the rug, but instead use them as an example of how the team can get better.
Accountability before awareness is crazy. People want to do the right thing, so show them through an awareness program and then hold them accountable for the decisions they make after gaining the knowledge.
3. If you do not have a secure development lifecycle, get one now
Secure development lifecycle (SDL) is foundation to sustainable security culture. An SDL is the process and activities that your organisation agrees to perform for each software or system release. It includes things like security requirements, threat modelling, and security testing activities. SDL answers the how for your security culture. It is a sustainable security culture in action.
Customers across industries are starting to demand the crazy idea that organisations have an SDL and follow it. If you do not have an SDL at this juncture, Microsoft has released most of the details about its SDL free of charge. The lineage of many industry SDL programs traces back to the Microsoft program.
A reasonable place for the SDL to live is within a product security office. If you do not have a product security office, think seriously about investing in one. This office sits within engineering and provides central resources to deploy the pieces of your security culture. While we do not want the entire organisation to farm off security to the product security office, think of this office as a consultancy to teach engineering about the depths of security.
4. Reward and recognize those people that do the right thing for security
Obviously, enforcement and consequences are important to any awareness program, but at some point, we need to combine that with positive reinforcement.
Look for opportunities to celebrate success. When someone goes through the mandatory security awareness program and completes it successfully, give them a high-five or something more substantial. A simple cash reward of $100 is a huge motivator for people and will cause them to remember the security lesson that provided the money. They also will be quick to tell five co-workers they received cash for learning, and those five will jump into the training quickly. If you are shuddering at the idea of giving away $100 per employee, stop being so cheap and count the cost. The return on investment on preventing just a single data breach greatly outweighs the $100 spent.
However, this is not as simple as it seems, it turns out rewarding good behaviour can have bad results. For example, let’s say you want to promote the reporting of incidents. You educate your employees the indicators of compromise and how to report them to your security team. To promote this, you decide you will give a free lunch to anyone who detects an infected computer. While at first, this sounds good, in two weeks you will most likely have every employee surfing dodgy websites and downloading free screensavers in the hopes of getting infected. Your reward changed behaviours, just not the ones you wanted.
Another challenge is cost. Let’s say one of your employees gets hit with a social engineering phone call and your employee does the right thing. They identify the attack for what it is and report the attacker to your security team. To reinforce this behaviour, you immediately reward the employee a $50 gift certificate. The problem is you have now created precedence. Anytime an employee spots a real attack they will expect to get paid a reward. You can quickly bankrupt your awareness budget.
The trick to rewarding is making sure you motivate the right behaviours while keeping your budget in check. Here are some tricks.
- Rewarding behaviour does not require material goods, public recognition can go a long way. I know of several organisations that post an example of an employee doing the right thing with their monthly security awareness newsletters.
- If you do want to hand out a reward, keep it small. One organisation I know does nightly desktop checks at the office, making sure computer are locked and sensitive materials are securely stored. When they find violators, they take note. However, for those who are doing the right thing they leave a jelly bean at the table. The next morning employees come in and finds their reward.
Little gifts like this can really have a big impact.
Here at Layer 8, if people are practising good security habits, we leave a slip for them to be entered into a drawing. If they are not, we leave a pamphlet letting them know what they can do better to be secure or policy compliant. We post the winners on the Intranet as well as articles of our findings of what we as an organisation can do better.
Rewarding is tricky. Our first reaction is to reward people as much as possible but be sure to think things through. You want to be sure you are promoting the right behaviours and you are not setting costly precedents.
5. Build a security community
The security community is the backbone of a sustainable security culture. The community provides the connections between people across the organization. Security community assists in bringing everyone together against the common problem and eliminates an “us versus them” mentality.
The security community is achieved by understanding the different security interest levels within the organisation: advocates, the security aware, and sponsors. Security advocates are those people with a down-home passion for making things secure. These are the leaders within your community. The security-aware are not as passionate but realise they need to contribute to making security better.
The sponsors are those from management who help to shape the security direction. Gather all of these folks together into a special interest group focused on security.
Security community can manifest as one-on-one mentoring and weekly or monthly meetings to discuss the latest security issues. It can even become a yearly conference, where the best and brightest from the organisation have a chance to share their knowledge and skills on a big stage.
6. Make security fun and engaging
Last, but certainly not least, is fun. For far too long people have associated security with boring training or someone saying no all the time. To cement a sustainable security culture, build fun and engagement into all the process parts.
If you have specific security training, ensure that it is not a boring voice over a PowerPoint presentation. If you engage your community through events, do not be afraid to laugh and goof around some. In my previous role, at each monthly security community event, we started the meeting off with a game of security trivia with a different security category each month. We did hackers in the movies one month and security news in another. This is just an example of how to bring fun and engagement into the process.
Security can be so much more than PowerPoints and videos. Pick a fun theme and parody it—we did Game of Thrones. Give gamification a try. Throw a phishing writing workshop and have your employees write a phishing email for the company. The options are endless when you start to think outside the box.
What kind of security culture do you have?
Of course, every organisation has a security culture. If they say they don’t, they are either lying or afraid to admit they have a bad security culture. The good news is that any security culture can positively change how the organisation approaches security.
But culture change takes time, so don’t expect your members of your organisation to overnight become pen-testing Ninjas who write secure code while they sleep. With the right process and attitude, you’ll get there.