This post was written by Chris Romeo during his tenure at Security Journey.
Changing security culture appears straightforward at first glance: You tell people to do things differently than before, and then stand back and wait for lower vulnerability counts and improved code. But it's more complicated than that.
How do we measure security culture? Easy. Its strength will be clear if, one Friday at 4:30 pm, a developer finds a potential security vulnerability and must make a decision: stop the deployment and/or fix it, or commit the code and deal with the issue after the weekend? If the developer holds up the deployment, your security culture is strong.
You can hack your security culture so that people consistently choose the path of security. Here is one proven approach.
Start with one person at a time
To hack your security culture, you apply a series of shortcuts or tricks for getting an organization to focus on security, one person at a time. A security culture hacker is a person who manipulates the organization in such a way as to improve the state of security.
Security culture hackers demonstrate common characteristics that result in success. These characteristics begin with communication, active listening, and collaboration. Security culture hackers must first and foremost connect with the people they are trying to influence. Influence is achieved by understanding the challenges those people deal with and documenting those challenges accurately.
Also important is in-depth knowledge of the area of security you are trying to reach (developer versus general security awareness). The culture hacker must be knowledgeable in the target area to intelligently build solutions for change.
Then comes methodology and lingo. The hacker must know the terms that best communicate to the target audience. As an example, in talking to developers, the hacker must understand programming concepts and the process for software development to implement change.
Finally, the hacker must have an edge and not always be a nice guy or girl. To make an omelet, you need to crack some eggs, and to change a security culture, you need to crack some existing ideas and the "we have always done it this way" mindset.
The process of security culture hacking can be broken down into five areas: assess, communicate, connect, educate, and reward.
Phase 1: Assess
Assessing is all about creating a strategy based on where the organization needs to go in the quest for a healthy security culture. A strategy is established by evaluating the current state of security via interview and surveys and then processing the results into a plan to move things in a positive direction.
Culture change is a long game, and if you don't know the current culture and try to build a strategy for changing it, you've already lost. Understand where the organization is before trying to create change. Ensure that you develop a strategy as a result of your assessment. An assessment without a plan is a waste of time.
Some sample questions will help in your quest to understand your current security culture. (You can also use other resources, such as the SANS Security Awareness Maturity Model and the OWASP OpenSAMM standards for assessment.)
- What does security mean to us as an organization?
- How do we "do security"? How does security affect each job role?
- How risky is our application fleet or data that we store?
- Who are the attackers we face?
- Should we do high-level security-awareness training? Role-specific?
- Ever heard of a secure design principle? What are some that we apply?
- Do we have a security response team? How do we contact it?
A solid practice for assessment is to use the water-cooler principle. After meeting with executives about the state of security, say you're going to get a drink of water. Head to the break room, and then wait there for a few minutes.
When people walk in, ask them what their job role is and what security means to them. The answers you receive may be different from what you heard from the executives.
Tips for assessment
- Time-box the assessment effort; the security culture hacker needs data for where the organization is today, but not a 100-page report.
- Ensure that the assessment becomes a strategy; an evaluation by itself is just a stack of paper.
- Engage the people who do the work; hear from the managers and executives, but double-check their answers with those who do the job.
- Meet the organization where it is, or where it looks like it is going.
Phase 2: Communicate
Reach out to people from across the organization, at all levels, and tell them about security.
There are three different approaches to security communication: bottom-up, top-down, and hybrid.
Bottom-up communication focuses on making a grassroots connection. Schedule one-on-one meetings with the people who do the work, to create a relationship. In the beginning, schedule as many of these meetings as possible per quarter.
Top-down communication focuses on the executive suite first, then moves down. With this approach, you ask the executives to sign off on your proposed security changes and then propagate them across their teams. Many organizations require executive management buy-in before moving forward with any change.
With a hybrid approach, you meet in the middle, using both bottoms up and top-down. This is the best possible solution since you work with the people who do the work and also the people who control the resources.
If you find yourself in an organization where executive management is slow to act on security change, you may have to practice some scare tactics. For example, you might exploit vulnerabilities in your products or applications right in front of your executive staff. That makes security real.
Tips for communication
- Build a strategy to reach the most critical teams or groups first. Flagship products or parts of the business are great advertising for security culture.
- Tap into groups that have real passion. Existing security passion equals early wins.
- Analyze vulnerability counts by the team (if a metric is available).
- Do not hit people up on day one to commit a percentage of their work-life to security; ease into what you are asking from them.
- Talk about security with anyone who will listen: the cleaning staff, the UPS person, anybody.
Phase 3: Connect
The connection is about embedding expertise within every team. A security champion program, with champions drawn from outside of the security team, allows you to reach beyond the security team and engage many resources.
Security champions are also called advocates, ambassadors, and guild members. The idea is to harness those passionate about security, provide them with in-depth lessons, and then unleash them in the organization.
Adobe, Cisco, and Salesforce have all had successful security champion programs, as shown in industry case studies.
Tips for connection
- Ensure proper organizational distribution, with champions from every functional group represented.
- Define champion roles and expectations; delineate what you want the champions to do and the schedule.
- Obtain management support in advance.
- Create a program as a destination, one that people seek out.
Phase 4: Educate
This must be done with meaningful, transformational security education that everyone wants to consume.
There are various ways to conduct security education. Video and hands-on training scale for both large and small teams. Classroom and in-person training has a high return but is hard to scale to large groups.
Tips for education
- Begin with the basics; never assume base knowledge.
- Start with why; focus on why the learner needs to care.
- Connect your security champions with the education program.
- Recognize individual achievements or levels.
- Pick a fun theme and market the program using the idea.
Phase 5: Reward
This involves encouraging the adoption of security culture with more carrot and less stick. People like recognition for their work achievements. Rewards are an inexpensive way to bolster the image and return of your security culture-changing program.Reward examples
- Saying "Good job" in front of the team
- Email from a boss or executive
- Gift cards
- Enhanced training
- External conferences
As your program matures, you might be able to offer exceptional rewards for those people who have persevered within the security program as volunteers for years. An example of this might be sponsoring a master's degree in cybersecurity. This would go beyond normal tuition reimbursement, which usually requires up-front payments. Provide this enhanced top-level reward for those who have gone far beyond what they were expected to do.
Tips for rewards
- Ask team members for reward ideas.
- Plug into existing organizational rewards and recognition programs.
- Reward early and often; a rewards program is not a place for stinginess.
Keep on culture hacking
If you find yourself in need of security culture change, remember the phases. The approach is cyclical, so once you complete all the steps, go around again and see the continued positive impact on your team of security culture change.Share your security culture hacking experiences below. What has worked with your team?