Culture as a force multiplier in a security program

Having security reflected in an organization’s culture is  universally acknowledged to be a positive in today’s data-centric  companies. Despite this, it has proven difficult to implement in a  sustainable manner. There are multiple reasons, one of which is a  failure within the security community to provide those around us with an understanding of what a security program’s goals are. To many, information security may represent an ideal state to be achieved as anend goal. This, however, misses the notion that security and developing a security aware culture is an ongoing journey. To be truly ingrained, the security program needs to be thought of as a living, breathing and constantly evolving characteristic of the systems, people and processes  that make up your organization. This also means that it requires  constant care and nurturing to reach its full potential.

It starts with people

A strong security culture begins with the people on your team and  depending on the maturity of your program, there is a need for a variety  of profiles - technical experts, people able to scope and drive  projects and those that understand compliance, regulations and how they apply. Particularly when you are first building a program, there needs  to be a non-negotiable requirement for strong interpersonal skills - communication and a deep sense of empathy in particular. Without these  strengths to base your security program on, its effectiveness will never take off, and will fail in ways that are invisible until it’s too late. Now more than ever, the ability to connect with people is essential: physical distancing has become the new norm, and entire workforces are  shifting to remote work.

Classic examples of poor communication and coordination show up in  development projects that roll forward without security involvement until the last minute when the security team suddenly becomes a “blocker”. Another example is shadow IT - vendors being onboarded and confidential data sent to them without any sort of review or risk assessment. In both cases, people may understand the risk it poses but, rightly or wrongly, they won’t come to the security team to discuss if they feel it will make their life harder and provide them with little tangible benefit. Making matters worse, no one in the organization will  feel particularly bad about any of this if people believe that dealing  with the security team means delays and pushing back from a hardline  stance starting with “no”.

Having the right people on the front lines is key to preventing this silent weakening of your security profile. A team made up of  solutions-oriented people who are approachable and proactively  collaborate to help find solutions is much more likely to be brought in early into the design/evaluation/diligence process. This still requires a high level of technical proficiency of course, but when security teams are hard to work with, people avoid them and the value from that technical proficiency goes unrealized as projects get implemented without security partnership.

Culture as a force multiplier

Even with a strong or large team, you can’t build a robust  security program without the entire organization being involved. Well  staffed companies rarely have more than 2 - 3% of their personnel dedicated to the purpose of securing their assets. This means that teams need to work as force multipliers by enlisting the broader organization to the cause. The “Security Champions” movement of the past several  years has been a great way to add eyes and ears in the field but has  generally been focused within engineering organizations. Using the same idea to spread security awareness and culture across the entire business takes a different approach and has an even more expansive reach and  effect.

Because security teams tend to work across business units, they  also have a uniquely broad view of who is who and what is happening in different departments. When your team leverages this network and  connects people across the company to help solve each other’s problems, people start reaching out for all sorts of issues (not always related to security). Those same people begin to point others towards the security  team when they hear about issues or projects they should be involved in. It becomes a virtuous circle of raised awareness - the more you  help, the more people bring you in to help. This leads to more awareness of issues you are able to assess and address.

Understanding and harnessing motivations

To be effective and to motivate people to feel vested in security,  they need to understand why they should care and what they can do to  directly reduce the risk of that threat. Analysis of fear appeal theory has shown that simply telling people about a threat does not  sufficiently motivate them if they don’t understand what they can do about it. Likewise, telling them what to do doesn’t motivate them if they don’t understand or believe the threat is real and applicable. Maximizing effectiveness requires the message to be framed so as to touch both sides of that equation by ensuring it is relevant and relatable to their day-to-day work.

This means that to best convey the value proposition, you need to  understand the mindset of the people you are delivering it to and ensure that they understand how security applies to their specific line of work. Backing this up, research into building an effective culture of  security champions across multiple departments emphasizes the need to customize your approach as expectations of what a security program should provide may vary wildly from team to team.

Nobody wants to be insecure or put the company at undue risk,  however, many times employees aren’t sufficiently motivated with an understanding of what it means to them in a more direct sense. The sales  organization will be much more driven once they see how an effective  program unblocks deals and keeps their sales cycles moving swiftly. Conversely, they will further support efforts once they better  understand what effect a breach would have on their ability to  close. Customer facing teams are generally able to very easily visualize the difficulties that will come with pitching an upsell after the company has been breached and leaked the customer’s data.

All of these teams do not think about security as a matter of  course. When it is framed in a relatable manner and helps them  understand why they should care, they become a much more receptive audience willing to ensure that it becomes part of their processes and  ingrained in the design of their work by default.

If your security people aren’t approachable, collaborative and  thinking about solutions, then all the firewalls, intrusion detection  and server hardening in the world isn’t going to be able to protect you  from yourself. Enterprises are too expansive, diverse and rapidly changing with an ever-widening attack surface to be truly secured by a team who looks inward and rely solely on tools and technical controls.