Author: Ehsan Foroughi
What are some tips and best practices for building and infusing a security culture within an organization?
1- Executive buy-in: A culture of security requires organizational buy-in. It starts with educating executives and creating awareness. Executives then in turn, need to support the security initiative by investing in and supporting the lines of business with funding and resourcing.
2- Awareness and training: Once organization buy in has been established a broad security awareness and a role-based training program is needed for the organization. Because the use of technology is prevalent across most organizations, every employee requires at least a baseline of awareness.
3- Always start the education with why: Training and other security programs, such as security champions programs (see below), will be most effective when participants understand why they are doing something and how it connects with the broader goals and vision of the organization.
4- Define security accountability as part of every role: It’s a recipe for failure when security is defined as the job function of a few individuals in a security team. Security needs to be owned by software and systems owners. Governance structures also need to ensure owners and their teams feel accountable for the security of their own systems. Organizational security teams are there to provide support and provide guidance, rather than take ownership. Having these defined roles ensures that security ownership, and its associated actions, are not perceived as distractions to the business goals.
5- Setup a security champions program: Security champions are “force multipliers” for security teams. Many companies have had success in driving a strong security culture by leveraging a security champions program. Most often engineers from different teams are nominated to be trained by the security team in a rigorous program. They then become ambassadors of security within their original teams. These individuals need to be given mandate and bandwidth (in many cases a significant portion of their time, sometimes exceeding 50%) to be part of the security champions program and perform the duties that comes with the role.
6- Shifting left in security: Security programs often fail when they are perceived as “blockers to business”. To prevent security initiatives from being seen as slowing down the business, security procedures need to start early in the development cycle – ideally in design and planning. This will ensure that by the time the project is ready for deployment, security is taken care of and vulnerabilities don’t prevent an on-time market release. Proper security enablement requires thoughtfully designed governance structures, planning, and developer buy-in and education on what is required and why.
7- Organizational Buy-In: Security leaders need to educate the organization and create buy-in at the outset of a security initiative. They need to provide a strong, data and fact supported, understanding of how implementing security early in the lifecycle of projects will reduce the effort cost and enables security to move at the speed of business.
A strong security program needs to be viewed as an organizational core competency. It can provide organizations with a competitive advantage by reducing compliance risks and their associated fines, reducing costs associated with breeches and development rework, and protects the organizations brand.
Beyond competitive advantages, these days organizations expect cybersecurity to be table stakes when working with other organizations.
Want to learn more about eLearning solutions? Read our whitepaper: Selecting an eLearning Solution for a Software Security Environment