This post was written by Chris Romeo during his tenure at Security Journey.
Changing security culture appears straightforward at first glance: You tell people to do things differently than before, and then stand back and wait for lower vulnerability counts and improved code. But it's more complicated than that.
How do we measure security culture? Easy. Its strength will be clear if, one Friday at 4:30 pm, a developer finds a potential security vulnerability and must make a decision: stop the deployment and/or fix it, or commit the code and deal with the issue after the weekend? If the developer holds up the deployment, your security culture is strong.
You can hack your security culture so that people consistently choose the path of security. Here is one proven approach.
To hack your security culture, you apply a series of shortcuts or tricks for getting an organization to focus on security, one person at a time. A security culture hacker is a person who manipulates the organization in such a way as to improve the state of security.
Security culture hackers demonstrate common characteristics that result in success. These characteristics begin with communication, active listening, and collaboration. Security culture hackers must first and foremost connect with the people they are trying to influence. Influence is achieved by understanding the challenges those people deal with and documenting those challenges accurately.
Also important is in-depth knowledge of the area of security you are trying to reach (developer versus general security awareness). The culture hacker must be knowledgeable in the target area to intelligently build solutions for change.
Then comes methodology and lingo. The hacker must know the terms that best communicate to the target audience. As an example, in talking to developers, the hacker must understand programming concepts and the process for software development to implement change.
Finally, the hacker must have an edge and not always be a nice guy or girl. To make an omelet, you need to crack some eggs, and to change a security culture, you need to crack some existing ideas and the "we have always done it this way" mindset.
The process of security culture hacking can be broken down into five areas: assess, communicate, connect, educate, and reward.
Assessing is all about creating a strategy based on where the organization needs to go in the quest for a healthy security culture. A strategy is established by evaluating the current state of security via interview and surveys and then processing the results into a plan to move things in a positive direction.
Culture change is a long game, and if you don't know the current culture and try to build a strategy for changing it, you've already lost. Understand where the organization is before trying to create change. Ensure that you develop a strategy as a result of your assessment. An assessment without a plan is a waste of time.
Some sample questions will help in your quest to understand your current security culture. (You can also use other resources, such as the SANS Security Awareness Maturity Model and the OWASP OpenSAMM standards for assessment.)
A solid practice for assessment is to use the water-cooler principle. After meeting with executives about the state of security, say you're going to get a drink of water. Head to the break room, and then wait there for a few minutes.
When people walk in, ask them what their job role is and what security means to them. The answers you receive may be different from what you heard from the executives.
Reach out to people from across the organization, at all levels, and tell them about security.
There are three different approaches to security communication: bottom-up, top-down, and hybrid.
Bottom-up communication focuses on making a grassroots connection. Schedule one-on-one meetings with the people who do the work, to create a relationship. In the beginning, schedule as many of these meetings as possible per quarter.
Top-down communication focuses on the executive suite first, then moves down. With this approach, you ask the executives to sign off on your proposed security changes and then propagate them across their teams. Many organizations require executive management buy-in before moving forward with any change.
With a hybrid approach, you meet in the middle, using both bottoms up and top-down. This is the best possible solution since you work with the people who do the work and also the people who control the resources.
If you find yourself in an organization where executive management is slow to act on security change, you may have to practice some scare tactics. For example, you might exploit vulnerabilities in your products or applications right in front of your executive staff. That makes security real.
The connection is about embedding expertise within every team. A security champion program, with champions drawn from outside of the security team, allows you to reach beyond the security team and engage many resources.
Security champions are also called advocates, ambassadors, and guild members. The idea is to harness those passionate about security, provide them with in-depth lessons, and then unleash them in the organization.
Adobe, Cisco, and Salesforce have all had successful security champion programs, as shown in industry case studies.
This must be done with meaningful, transformational security education that everyone wants to consume.
There are various ways to conduct security education. Video and hands-on training scale for both large and small teams. Classroom and in-person training has a high return but is hard to scale to large groups.
This involves encouraging the adoption of security culture with more carrot and less stick. People like recognition for their work achievements. Rewards are an inexpensive way to bolster the image and return of your security culture-changing program.Reward examples
As your program matures, you might be able to offer exceptional rewards for those people who have persevered within the security program as volunteers for years. An example of this might be sponsoring a master's degree in cybersecurity. This would go beyond normal tuition reimbursement, which usually requires up-front payments. Provide this enhanced top-level reward for those who have gone far beyond what they were expected to do.
If you find yourself in need of security culture change, remember the phases. The approach is cyclical, so once you complete all the steps, go around again and see the continued positive impact on your team of security culture change.Share your security culture hacking experiences below. What has worked with your team?