As you are no doubt aware, cybercrime continues to be a primary threat to business success. A quick look at the World’s Biggest Data Breaches and Hacks, shows how widespread the vulnerabilities really are.  Or take a look at the unprecedented changes in data privacy regulations across all geographies.  It’s not just GDPR; today there are 80 different countries that have enacted a data privacy law.  It is crystal clear that security matters and that building a security culture is critical to success.

 

Mature organizations today recognize that there is a direct connection between consumer trust, user experience and revenue.  In this fast-paced industry where technology — not to mention the threat landscape — is evolving daily, teams are more likely to succeed when security is viewed as an integral part of the business.  So how do we start?  I’m glad you asked.  Here are two things you can do today to build more of an security culture.

 

Move the Chief Security Officer into the Boardroom

If you’re wondering why it matters who the CSO/CISO reports to, consider this scenario.  You’ve been invited to a holiday dinner with your extended family of 15 adults, but the dining room table only seats 14, and it’s already a tight squeeze. Ultimately, someone will need to sit at the kids table. And while that may be more fun, the conversations that take place there will surely be very different than at the main table.

The same dynamic exists in organizations that do not consider the CSO/CISO to be an integral part of the company’s success. If security is only involved in senior leadership activities on an occasional basis, the organization is inviting trouble down the road. Is the only time security is discussed in the boardroom when a breach occurs?  If so, then how does the organization get the transparency and visibility needed to deal with high-risk issues or other severe flaws?  Is there a plan in place for security adoption in the organization?  If so, is it reviewed and updated consistently?

Business success is directly tied to great user experiences and protecting sensitive data. Today, most organizations can see a point-in-time view of their security posture, but they need more real-time information about the risks they face to keep up with the threat landscape in 2019. Customers today expect, demand and even assume security is present in the applications they use. Meeting that demand requires high degrees of collaboration and communication, so don’t make it more difficult by relegating security to an island.

Realize Everyone Plays a Role in Security

In today’s software world, where there is extensive use of devices, microservices, components, containers and tools affecting more applications everywhere, the potential for things to go wrong is increasing proportionally. For this reason, every department throughout an organization is playing a role in securing enterprise data.

The Software Development Side

As I saw in recent Black Hat and DevOps World | Jenkins World events, it is clear that security is becoming more of a part of the software development lifecycle.   Whether it is incorporating static analysis of source code at commit time, running dynamic scans on built binaries, incorporating interactive security testing or enhancing penetration testing, teams are recognizing the value of building security into their processes versus trying to bolt in on at the end.

And it is all the more critical if your organization has some of the estimated 96.8 percent of developers that use open-source components.  What happens when a critical vulnerability emerges for one of them? If you are relying on a central IT team, but have inconsistent software inventories, how can you be sure you’ve identified all the affected systems? Are processes and systems even in place to reliably communicate what needs to be done?  And if you depend on employees to manually initiate patching efforts, how can you confirm they actually happened? Too often, processes are a mix of automated efforts for some systems and an honor system for others. In this model the inconsistent lists, inaccurate inventories and unclear, unenforced policies can easily leave critical systems exposed.

DevSecOps is all about incorporating security in the software development pipeline, but just as a cultural change was needed to move organizations into a DevOps model, it takes a new mindset that a security culture is critical to success.  It is not enough to run occasional vulnerability scans in a delivery pipeline or conduct penetration testing on a frequent basis.  The culture change is to making security be a part of design, documented in requirements, developed using securing coding practices and accounted for through and beyond production.  Building security into an application builds trust for that application in production.  In short, it has to be seen as a business enabler.

The Non-Software Development Side

One real problem in this space is that people don’t really know what they have. Ask someone how many applications are really on their laptop or device and they will likely be many that they are not even aware of.  Or ask five people how many applications their organization supports and you’ll likely get five different answers. And just try to get a full inventory of the services, libraries and components associated with those applications.  That information is often scattered across departments.  IT has one list, security has another, and the two are rarely consolidated or cross-referenced. Maintaining an accurate software inventory goes a long way in ensuring machines and devices are compliant.  Otherwise, the impact of a disconnect can be devastating when a breach happens.

Industry has moved far beyond just enforcing password policies. Today, every employee plays a critical role in your security strategy and needs to act as a first line of defense. Take the time to educate them on your policies and, most importantly, how they impact the business. Then make sure to enforce them because the policy you enforce today just might prevent a breach tomorrow.

Security Culture is Key For Delivering Real Business Value

To summarize, security culture is becoming a currency for organizations. Studies such as IBM Security’s “Future of Identity Report” show that consumers are prioritizing security over privacy and convenience for nearly all application types. It’s no longer acceptable to simply add in or account for security during the development life cycle; it must be incorporated from conception to completion.

And today, critical systems left exposed could be sitting in the pockets of your employees; the personal devices they use every day. How aware are your employees of your organization’s policies and procedures? Are they enforced? Are devices they use to access enterprise data in hotels, coffee shops and in transit secure? Making the problem worse is the blurred line between personal and professional use. How can you know that all the apps downloaded to these devices are safe? How do you help your employees to secure their own devices?

At the end of the day, security needs to be ingrained in organizational culture.  It has to be perceived as critical to the company’s success, and inclusive of all employees across the enterprise. Organizations that do this well are better positioned to build trust and provide the exceptional user experience that customers demand.

Further Reading