Security culture is one of the hardest aspects of security to get right. Unfortunately, it is also the most important thing for security that needs to be done right. It is so important because your culture has a tremendous impact on a very important aspect of your company, your employees.
Multiple studies have been conducted over the years and the number one cause for breaches is always employees. Whether purposeful or inadvertent, breaches occur and most often traced back to employees. Why would an adversary attempt to gain access to a database by leveraging weaknesses in a web server when they can just compromise a database administrator? The level of access that employees have make them a rich target.
The security culture of a company is like any other culture: cultures thrive when employees embrace them and fail when they do not. When employees subscribe to the security culture, then ultimately the company becomes more secure because they will become harder targets and in the course of their daily work they will be able to spot a compromised machine or weak password because sloppy security stands out in a healthy and thriving security culture.
Five Areas of Focus to Improve Security Culture:
-“No, however” vs “No”
When a new implementation or modification comes down the line and it doesn’t mesh with security principles, do you say “No” or “No, however”? There is a very distinct difference between these two responses. The first response of just “No” means you have drawn a line in the sand and security trumps whatever is being attempted. The issue with this is that no doesn’t help create productivity and solve the business problem. If you allow security to stand in the way of business then you will soon be looking for a new job. The only true way to be secure is to stay out of business, so security needs to find a way to coexist with business.
If your response is “No, however” then you are off to a good start. There are times when new product may not align with the regulations that are required for your company. And that is ok. It is your job to work with the team and figure out how to best implement what they want and not violate those regulations.
By spending your time shutting down new business ideas for the sake of security, you will quickly realize that no one is coming to you anymore. And that is detrimental for security.
-Training
If you’ve never heard groans and sighs as you announce the next round of security training, then you can count yourself part of a very exclusive group of people; People with training that is both engaging and beneficial.
With all the meetings and events that are required in order to keep all the employees going in the same direction, adding more time away from keyboards is never easy. If time away is unproductive then not only is no one learning anything, the company is simultaneously losing money. The topics of discussion need to be relevant and beneficial to the employees and the company.
If you find yourself talking about the latest attack vectors to Red Hat based systems and the majority of your systems are Windows or iOS based then you are going down the wrong path. You need to understand your company and the direction it is going in order to gear you training towards those aspects. Your training can either be productive or unproductive. The more productive it is the easier security is in the long run.
-The Audience
Who is required to be a part of the culture of security? Is your CISO the only one pushing training and recommending that security be brought into development and not considered an afterthought? Or does it go higher?
People are very observant. If they notice that security isn’t embraced by everyone up to and including the CEO then why should they embrace it? Additionally, the most sought-after targets for an adversary are usually the C-level employees. A lot of open source information exists about them and they tend to have a lot of access. So, if the most susceptible employees are not required to be a part of the culture, what reason would someone else have to be a part of the culture?
-Level of Attachment
How attached you are to doing security solely in house is indicative of how quickly it will become stagnant. To think that your company is unique in how it is targeted by adversaries only sets you up for failure. You need to open your doors to third parties or similarly based companies when it comes to security in order to ensure that you are staying relevant with the latest trends and threats that exist.
Unless you are a company that does security for companies, then you are already at a competitive disadvantage for solely performing your own scans. Companies exist with the sole purpose of staying current with the tactics being utilized and then provide you with feedback on how to protect yourself; use them. This isn’t to say that you should completely outsource all security responsibility. Depending on how vulnerable your company is looking at bringing in a third party monthly or quarterly. In between those visits conduct scans internally as well.
Additionally, threats that exist today cast wide nets to see what they can compromise. If you run a deli, chances are the bakery down the street has the same potential to get attacked by the same bad actor. Have your security professionals communicate regularly with them. You aren’t sharing any sort of Intellectual Property by talking about the recent scans or attacks you’ve been seeing. You are helping to create a community that is stronger together against outside attacks.
-Best Business Practices
Some policies you can’t get around. Heavily regulated markets require certain steps be taken in order to secure financial data, health data, personally identifiable information, etc. These policies need to be put into place. This will leave gaps in being secure though. That is where best business practices come in.
Security in an information age isn’t something new. People have been doing it for a very long time. Lists of recommendations, and even steps, exist to help people bridge the gap from insecure to secure. Use these and bolster what you have in place. If something doesn’t pass the “smell test”, then discard. Your policies and procedures should be a living document that is reviewed and updated regularly. If you follow the current trends that exist and keep ingesting the best practices then a lot of the work will be done for you.
This list isn’t all inclusive. Maybe you find yourself better situated in one, or more, of the above aspects. If that is the case, then great. But if you need help in shoring up the above five areas or are looking for additional support on how best to secure your company, AKF can help.