What are some tips and best practices for building and infusing a security culture within an organization?
- Executive buy-in: A culture of security requires organizational buy-in. It starts with educating executives and creating awareness. Executives then, in turn, need to support the security initiative by investing in and supporting the lines of business with funding and resourcing.
- Awareness and training: Once an organizational buy-in has been established, a broad security awareness and a role-based training program is needed for the organization. Because the use of technology is prevalent across most organizations, every employee requires at least a baseline of security awareness.
- Always start the education with why: Training and other security programs, such as security champions programs (see below), will be most effective when participants understand why they are doing something and how it connects with the broader goals and vision of the organization.
- Define security accountability as part of every role: It’s a recipe for failure when security is defined as the job function of a few individuals in a security team. Security needs to be owned by software and systems owners. Governance structures also need to ensure owners and their teams feel accountable for the security of their own systems. Organizational security teams are there to provide support and provide guidance, rather than take ownership. Having these defined roles ensures that security ownership, and its associated actions, are not perceived as distractions to the business goals.
- Setup a security champions program: Security champions are “force multipliers” for security teams. Many companies have had success in driving a strong security culture by leveraging a security champions program. Most often engineers from different teams are nominated to be trained by the security team in a rigorous program. They then become ambassadors of security within their original teams. These individuals need to be given mandate and bandwidth (in many cases a significant portion of their time, sometimes exceeding 50 percent) to be part of the security champions program and perform the duties that come with the role.
- Shifting security left: Security programs often fail when they are perceived as “roadblocks to business.” To prevent security initiatives from slowing down the business, security procedures need to start early in the development cycle — ideally in design and planning. This will ensure that by the time the project is ready for deployment, security is taken care of and vulnerabilities don’t prevent an on-time market release. Proper security enablement requires thoughtfully designed governance structures, planning, and developer buy-in and education on what is required and why.
- Organizational buy-in: Security leaders need to educate the organization and create buy-in at the outset of a security initiative. They need to provide a strong data and fact supported understanding of how implementing security early in the lifecycle of projects will reduce the effort and enable security to move at the speed of business.
A strong security program needs to be viewed as an organizational core competency. It can provide organizations with a competitive advantage by reducing compliance risks and their associated penalties, reducing costs associated with breaches and development rework, and protects the brand image.
Looking for an e-learning solution that can help to build a security culture as well as improve product security? Read our whitepaper to learn more.