As security threats become a bigger part of the day-to-day concerns at all types of organizations, it has become vital to inculcate and promote a “culture of security.” Yes, security is everyone’s responsibility — but it requires a shift in culture for people to begin accepting that responsibility.
Triggering this shift can be harder than it sounds on the surface. Why? Well, for one thing, most people in the organization don’t have their success measured on security. When the marketing team gets a performance review, no one brings up security. When a direct reward or consequence isn’t on the line, it can be more difficult to get people to buy in to their responsibility to help keep the company secure.
That said, it’s not impossible by any means. It just requires focused and sustained effort to change the culture. As with any culture shift, it won’t necessarily be easy or linear, but it is achievable. Here are a few steps you can take to help your team more security-minded.
1. Recognize That it Takes Time
Culture shifts don’t happen overnight. So it’s a good idea to be realistic about the time it will take to get certain people on board. For example, it took 5–10 years for DevOps to fully catch on (and in some circles it is still a work in progress) — so recognize that it will take some time for DevOps to embrace SecOps, and for the rest of the organization to see security as part of their jobs.
Don’t get frustrated if your first security lunch-and-learn doesn’t result in an overnight obsession with all things security at your organization. After all, it’s not the most thrilling topic on the planet — and it’s certainly hard to prove every time you avoided getting breached. But keep at it! Remind your people why security is vital to the organization through an ongoing security awareness program. (If you don’t have one in place yet, here are some tips on how to build one.)
2. Identify Cultural Resistance Factors
Let’s be serious for a minute. We love security, and many of us are security geeks through and through. But there’s a certain attitude that often comes with working in security. When your day-in, day-out work involves catching bad actors and slapping employees on the wrist, it can erode trust. Security’s business objective is to reduce risk — which often falsely appears to be at odds with the velocity of the rest of the business.
Part of getting past this is being honest about it. Sometimes security people may feel like the “bad guys,” and sometimes DevOps will intentionally go around them or ignore them because security makes their jobs harder. That won’t fly if your organization wants to truly take security seriously.
It’s up to both sides (and all the other parts of the organization) to build conversations and trust with the people they need buy-in from in order to do their jobs. And it’s a good idea to recognize that each can learn from other perspectives. Be open-minded and recognize that, at the end of the day, everyone has the same macro goal: to help the organization succeed.
3. Break Down Silos
Sometimes we get into patterns where one team is throwing requests over a wall to another. “Hey DevOps, you need to develop a tighter permissioning policy.” “Hey security, can you review this release?” If you really want security to be an integral part of your organization, you can’t just throw tasks over the wall. You need to break down silos.
How? Start by integrating teams, tools, and processes. If you need another team to do something to make your job easier, then make it easy to do that. Show them how to use any new tools, or find ways to integrate security protocols into the tools they already use.
It’s a good idea to implement this in a physical way, too. If your company allows it, have ops, engineering, and security co-located in the same office and ideally the same area of the office. This way, they will communicate more with one another, and hopefully share each others’ goals, ethos, and way of working — reducing friction and increasing their ability to work together. Security and DevOps both need to have a clear understanding of what the other is doing, what they’re focused on, and why.
4. Implement Tools That Support Security Culture
The best security tools will actually support the transition to a security culture by forcing DevOps and security to work together.
5. Leverage Automation
Automation is a key component of a modern approach to IT and can be a huge help in making sure that security becomes a seamless and natural part of your organization’s culture. The more that security teams can automate, the easier it will be for both them and the people they need to work with (e.g., ops and engineering) to get things done.
When security doesn’t feel like a giant mountain to climb, other teams are more likely offer their support. For example, Threat Stack integrates with Slack for distributed alerting. This way, non-security folks can receive an alert when something they touch causes a potential security concern. They can quickly confirm that it was them who did it and check whether it was a mistake or just a routine process that shouldn’t throw up any red flags. This process makes it easier for security to open the lines of communication with other teams, so others can do their jobs without security slowing them down.
Final Words . . .
It may take some time to get your team fully bought into the value of having a security mindset, but getting there is well worth the effort. Security teams need to understand that part of their responsibility is to educate and to make security easier for everyone. And everyone else needs to recognize that security isn’t just a tax they must pay, but a vital aspect of a healthy business.
Taking the steps above should help increase your organization’s security maturity by making the cultural transition smoother.