Many organizations incorrectly assume that a team of security experts can protect the other 99% of the company’s workforce.
This dangerous mindset persists in many technical product and development teams too, and members take it for granted that the security team will keep them out of trouble.
But in reality, it’s the daily informed decision making of all employees that makes the security posture of an enterprise.
Awareness as a concept aims at employees knowing about procedures, rules, and touchpoints with the security experts.
Security culture, however, goes beyond that and emphasizes a healthy mix of knowledge and follow-through by all members of an organization.
In this article, we want to take a look at some examples of how to increase awareness and, more specifically, create an impactful cybersecurity culture.
Leadership - Top-Down Approach
Significant shifts in an organization start at the highest level; the support of the executive team is, therefore, essential in building a security culture. The top management has to communicate cybersecurity as an organization-wide priority.
Regular reporting regarding the security situation of the organization and clear communication about the benefits of initiatives will help to build trust between the security team and management.
Middle managers work directly with employees and are therefore naturally an essential driver of security culture. By properly explaining requirements to their team and leading by example, team leads will get the security mindset transported to all departments. Getting middle management on board with security has a significant effect on cultural change. They are the multipliers of the program.
“I’ve seen a lot of incidents where the management says that cybersecurity is important, but then they turn around and ask for exceptions—and that is the death knell of any cybersecurity program.” —Rob Clyde
An “we are in this together” security mentality is achieved by embedding a vision and mission with leaders. This gives all employees direction on what they need to focus on.
Training and Awareness
Security training is labor-intensive but a key effort for growing and maintaining security culture.
Educating the work-force requires different approaches depending on the specific needs of the target group. For example, it makes sense to run all newcomers through a basic security program with information on common social engineering attacks like phishing or malware, introducing them to secure behavior expectations, and how to report an incident.
More tailored training for development teams can be, for example, introducing them to the Threat Landscape, the OWASP Top 10 Application Security Risks, or maybe refresh some crypto knowledge.
Departments, like Human Ressources, on the other hand, require awareness of the importance of Personnel Security and how they can help with keeping the workplace safe.
Knowledge transfer can take place in workshops, via videos or, maybe by introducing a famous data-leak case to a broader group in the organization and how it could have prevented by aligning with the policy framework. Showing that threats are close is an excellent way to encourage employees to follow security policies and best practices.
Security teams should also consider collecting feedback after a training to ensure the continuous improvement of the education program.
Secure Development Lifecycle
Secure from the start to the end and repeat. SDL is elemental to a sustainable security culture since it enables security to be integrated from the early stages of the development processes, and not as an afterthought at the very end of the delivery pipeline.
Running a product through SDL will build trustworthy solutions that have fewer security vulnerabilities.
The origin of most industry SDL implementations is the Microsoft program.
SDL is sustainable security culture in action and answers how to embed security culture in development and product teams.
Rewards
Celebrate success and recognize the people that do the right thing for security. Positive reinforcement is an excellent practice to support the effort to build a community of security-aware employees.
Adding security-related goals to performance reviews will make reasonable security practices mandatory to employees.
A positive message to the entire organization is sent by giving employees with good risk awareness more freedom when making decisions. Distributing the responsibility for security is a significant goal of security culture and therefore has to be embedded in the program.
Automation
Organizations can support employees by adding security automation to software development and daily processes. This will not only make the employee’s job more comfortable but can also significantly improve the security posture.
Examples of good automation are security scanners, static code analysis, or automatically generated governance documents. Providing security plugins for the IDE of developers shifts the feedback to the left, and takes the frustration out of a later deployment process.
Recap
Security culture is an integral part of a corporate culture that encourages people to make decisions in alignment with the organization’s best interest.
It’s a long-term and never-ending endeavor to break down silo thinking and create a sense of companywide ownership for security.
Employees have to be seen as assets in this approach; they are the first line of defense.