5 Ways To Build Security Culture

I was asked the other day: “How do we build security culture?” Here is my playbook.

people building structure during daytime

TL;DR

  • Get Executive Support

  • Make security accessible

  • Bake security into onboarding

  • Get in front of the people

  • Security Awareness Month - Make it fun

🧑🏽‍💼1. Get Executive Buy-In

This is pretty much applicable to almost any major initiative at any organization. When you have leadership approval, or even better, involved, then everything else is so much smoother.

No matter the size and structure of your organization, you need to find the person who has influence in the company at the executive level. In a small organization, it’s likely the CEO, but at a larger one it can be the COO, CFO, or General Counsel. Really depends.

Bringing everyone on board and having a plan (template w/examples available to members) so that they can understand what the problem is and how you are trying to solve it, and so they can make a decision on it.

Of course, if you don’t know how big the problem is, then you might want to start with a gap assessment to understand how big the chasm is.

🛣️2. Make Security Accessible

People inherently want to do the right thing, but if they don’t know how to exactly, can you blame them. Empower the people.

Here are some ways:

  • Create a public security slack channel so anyone can ask questions

    • Be welcoming and exert high emotional intelligence, otherwise it will backfire!

  • Create a security section in confluence with a collection of best practices relevant to your teams

  • Make sure people know who to go to for security issues. You’d be surprised how many people have no idea who’s “in charge” of security and just tell no one.

🛫3. Bake Security Into Onboarding

First impressions are everything. When you mention the importance of security during onboarding, you’re truly imbuing the “We take security seriously” mantra most companies claim to do.

However, don’t be handwavy… make sure to give actionable instructions to your staff with specific instructions, such as:

  • Where to go for security guides (see above)

  • Things to avoid when coding

  • How to use the password manager

  • How to avoid sharing secrets in slack and code

    • Depending on your environment and your data, if you make this a serious offense, people are more likely to adhere

  • Go over the acceptable use policy and talk about what company devices and resources are NOT for.

  • Generally good security hygiene for personal accounts (guide, not a requirement)

Of course, this should included employees AND contractors.

🗣️4. Get In Front Of the People

We are humans at the end of the day and with remote work and all, we do like to put a name to a face. Show up, smile, and show that you’re on their side. Maybe make a joke or two.

Here are some ways:

  • Show up at an All Hands and talk about security (make sure an exec introduces you). Try this 2-4 times a year at least.

  • If you have a large security team, have your people show up at the appropriate team all hands, such an Engineering All Hands, just to introduce yourself.

  • Send a monthly newsletter of some wins that your team has accomplished or highlight someone outside of security that did something awesome.

🎮5. Security Awareness Month - Make It Fun

October is security awareness month. This is an opportunity to host or facilitate a CTF. have a Hacker Jeopardy for everyone (w/pizza!), or have a fireside chat for everyone.

I’ve seen some organization make swag for employees including t-shirts, keychains, or mugs.

🥳BONUS: Reward Security Champions

Did an engineer not approve a PR because of a security issue? Or maybe someone found a security bug internally and fixed it pre-emptively?

This and other similar behavior needs to be cultivated and encouraged. It will result in a very organic security culture.

💡Keep In Mind: Building Security Culture Is a Marathon, Not a Race

Building security culture is a marathon.

It’s playing the long game and it's not a silver bullet or a tool you deploy, nor a single email.

There are several steps required and it's a bit like playing politics, especially if you’re at a larger organization.

Just keep at it, and you will get there. There will be challenging times where you may get pushback, but when you have a team member come to you thanking you for providing this information, it’s all worth it. Trust me.

Thank you for reading Last Week As A vCISO. This post is public so feel free to share it.

Join the conversation

or to participate.