Creating a Culture of Security - (Article)
Creating a Culture of Security
A crisis can take many forms and, whatever the cause, once thrown into such a predicament, your organization must quickly adjust to the new reality. With the pandemic we’re facing today, the future of work is changing. As the world reacts to a global pandemic and the work-from-home model becomes the norm, people are more broadly distributed and applications, systems, and infrastructures are more vulnerable than ever. As a result, companies are looking to their IT and security teams to lead the way.
When facing a challenge like COVID-19, security becomes everyone’s responsibility. For those responsible for security decisions, understanding the unique security posture and requirements of your company is paramount and can offer a competitive advantage. While the need may be urgent now, creating an organization full of security evangelists will have the greatest impact in the future.
We can all agree that strong leaders invest in building company culture. With a positive culture comes respect, teamwork, enthusiasm, accountability, recognition, and, ultimately, business success. But when defining and articulating organizational culture, rarely do leaders mention security. No matter how much money you spend on cybersecurity, or how many people you add to your security team, a weak security culture will put a drag on your efforts to reduce and mitigate risks.
Compliance is the great equalizer, thus a great place to start when securing buy-in from leadership. Everyone from enterprise giants to small startups must now confront strict regulatory and compliance demands. And the stakes could not be higher. Enterprise businesses that fail to meet these standards risk their customers, reputation, and the ability to operate. Smaller businesses that choke on never-ending audits and checklists risk burning precious resources, disrupting customer relationships, and forgoing enterprise partnerships. Whatever your compliance goals may be, gaining buy-in from leadership will be key in extending a culture of security across your organization.
To avoid being the security team that’s forever harping on security, major security initiatives are most successful if the rest of the company sees executive-level prioritization. At its simplest form, executives should play by the rules! If you require two-factor authentication for employee log-in, make sure your CEO has Duo on her phone. If you roll out a new security training for employees, make sure your CFO is the first to complete. Public support can also go a long way. If you’ve finally earned that ISO certification you’ve been fighting for, have your COO call out the efforts put in by your team and encourage your CSO to emphasize the value customers may see when picking their vendors. This support can make security something to rally behind.
Finding Your Fit
Security is no longer relegated to the back corners of an engineering department. Phil Venables of Goldman Sachs, speaking at HackerOne’s Security@ conference, put it best: “Security is too important to be left to security professionals.” While it’s not the same for everyone, it’s on you to work with other teams to find where security fits into their workstream.
For sales, arming Account Executives with language around the security and compliance programs that are in place, and the benefits of those programs, can help customers see how your product can fit into their environment. Knowing security can close deals will make supporters out of your sales team.
For engineering and product, all decisions made should be made with security in mind so new vulnerabilities or issues are caught before impacting overall security posture. If engineering knows you make their code look good, they’ll want you in their review cycle, helping you to meet regulatory requirements and match best practices.
For teams like marketing that require a lot of third-party tools, clueing them into your vendor review process can have them see you as an ally and not a blocker. Allowing them to bring preferred vendors to you and sharing your criteria and process for evaluation can help them to feel part of the process and see how you’re helping them by not introducing new security vulnerabilities into their workflows.
For employee success, listening to their recruiting goals will allow you to figure out your best investment. If the team is thinking about opening a new office, offering your assistance in looking into the physical security of new locations and checking OFAC and State Dept. lists, as well as locations with a high number of zero days, can help them make stronger decisions while keeping employees safe. If, like most of the world today, allowing employees to work from home is of value, make a VPN or Zero Trust Networking a part of the discussion, both to ease the transition but also to meet your security needs.
Default to Disclosure
Creating this shift to a security-first workforce doesn’t happen overnight, but education will help. Part of this shift can happen when things go awry.
Before COVID-19, the world around us was moving into a pretty individualistic point of view. Suddenly, a crisis struck and it’s more important than ever for us to come together to survive. At the same time, in security there arose a need for us to learn from each other and hear from each other. We’re facing new challenges and existing challenges are arising in higher volume in new guises.
Default to Disclosure is one of our values at HackerOne. And while this isn’t a mandate, it is something we encourage every employee, customer and hacker to think about. By sharing where we’re vulnerable, other companies can learn, friendly hackers can grow, and we’re all safer in the end. Being open with your company when there is a security vulnerability or when something has gone amiss can help them learn about the value, impact, and important work your team does, building a community around security.
Together, we hit harder. Together, we’re all more secure.
Samantha Cowan, Head of Security Compliance, HackerOne