Security is a crucial part of any organization, and the potential costs of security breaches are enormous. If you are not convinced of the risks faced by businesses online, all you need to do is google security breaches. Just 10 massive breaches exposed over 700 million records last year. When we take into account that the global average cost of every stolen confidential record comes to $148, there is ample reason to beef up your security efforts.
Hardware and software precautions are readily available and relatively easy and cost effective to implement. However, as with most complex systems, the biggest vulnerability is human error. It is all too common for companies to implement the latest security procedures and protocols, only to have their security culture lag behind and cause problems down the line.
Successfully implementing a security culture helps to promote your desired security behavior and protocols amongst your staff, and results in a security conscious workforce. Security culture can be evaluated by the actions your employees take when left to their own devices. Will they click on a suspicious link, leave their laptop unlocked when they leave their workstation, share their passwords etc. The following checklist will help guide your efforts towards a sustainable security culture that will generate security returns for the foreseeable future.
1. Start with Awareness and Build on That
As with any important changes, the first step is to be aware of the problems and risks. Be sure to present your whole team with the security basics. You cannot expect your employees to be accountable if they do not first have full awareness. Security awareness is all too often implemented in lackluster and boring ways, and this is a formula for failure. Try to add some creativity and a personal touch to your awareness trainings.
Building awareness is not a “one-and-done” process but should be an ongoing activity. When you do encounter a security breach, do not miss the opportunity to use it as a teaching moment. Gather your team and analyze what went wrong, as well as how the crisis could have been avoided. By going through real-world examples, you will not only make your team aware of common risks, but you will also demonstrate an active interest in building a security culture from the bottom up.
If your employees feel involved, they are more likely to be receptive to your message. Note that security culture is a much wider concept than security awareness. While awareness deals with just knowing about security risks, security culture also encompasses behaviors, attitudes, cognition, communication, compliance, responsibilities and norms.
2. Security for All
A common misconception in many organizations is that security matters are limited exclusively to operations within the security team. This is why it is vital to promote the concept that security belongs to everyone, and that each and every person is accountable for being security conscious at all times. A hallmark of a great security culture is the feeling that everyone owns a part of their company’s security solutions.
To achieve this all-in mentality across the board, it is prudent to integrate security into the very definition of your company. Your vision and mission should mention security, as these are the high-level statements that people look to in order to understand what a company is all about. Anyone who interacts with your company, be they clients or employees, needs to have a strong awareness that security is non-negotiable and of the highest priority.
3. Work on Your SDL
Growing and maintaining a sustainable security culture is impossible without having a solid Secure Development Lifecycle, or SDL. The SDL is, at its core, a collection of activities, processes and procedures that must be performed before and during every software release. It deals with the practical “how-s” of your security culture. Threat modelling, security requirements and testing activities all fall under the umbrella of SDL.
SDL was first created in 2004 as Microsoft’s response to several high level cyberattacks and security breaches. Fast forward to today, and SDL has become a household name in any reputable software company. If you do not already have an SDL in place, Microsoft has made a lot of SDL documentation available online, free of charge.
4. Shift to DevSecOps
A tried and tested trend in IT is a shift from a DevOps to a DevSecOps mindset. As the name suggests, security plays a vital role in DevSecOps culture. The goal is to merge security with development and operations by making everyone in the SDLC responsible and accountable for security. The focus shifts from merely detecting threats to assuming and preventing them.
The first step to creating an effective DevSecOps culture is to conduct a risk/benefit analysis and determine the overall risk tolerance of the project. The risk tolerance depends on many factors, including speed to market and the amount of security controls needed within a given app or piece of software. Once you know the risk tolerance, you can continue integrating security into your DevOps culture.
While conventional DevOps puts security at the very end of the software development lifecycle, DevSecOps embeds it into every step of the process. The goal is to automate as many of the core security tasks as possible by setting up security processes and protocols early on in the DevOps workflow. Automating security controls from the very start minimizes the risk of mistakes and misadministration going unnoticed and leaving you open to attacks. This makes DevSecOps vital to businesses that rely heavily on cloud services because it prevents costly downtimes.
5. Encourage Incident Reporting
Even the most rigorous security plan means next to nothing without social responsibility. If something does go wrong, your employees will be the first to notice it. This is why management should create an open environment where everyone is encouraged to report incidents, as well as any other suspicious activity that they might have noticed.
If incident reporting is a core part of your corporate culture, you will be able to identify security issues before they become a serious problem. Recognizing and rewarding team members for detecting a problem or risk will strengthen your security culture in the long run. It is a clear sign to others that they are welcome to do the same.
6. Nurture a Security Community
To have a strong security culture, you will need to develop a security community. This community will form strong connections between employees throughout the organization, and encourage a team mentality. Be aware that every company has employees of varying security interests and skills. There are three basic categories: advocates, sponsors, and the security aware.
Security advocates are passionate and knowledgeable about all things security related. These are the people that can spearhead your security efforts as well as help and inspire others to follow suite. Sponsors are people in management positions who are responsible for security vision, direction and implementation. Lastly, the security aware are not passionate about security, but are aware that they should contribute to improving it.
Weekly or monthly security meetings help to strengthen your security community, as does one-on-one mentoring. If you have the resources, consider organizing a yearly security conference. By doing so, you will create an environment where your best security experts can share their skills, knowledge and insight with others, as well as keep up to date with the latest security trends.