- Last Week As A vCISO
- Beyond Training: Lessons from Pixar blocking Innovation
Beyond Training: Lessons from Pixar blocking Innovation
Pixar had very similar cultural issues that face security organizations today
See below for $200 off my new course: Cybersecurity For Startups
Pixar and Roadblocks In Innovation
In the early days of Pixar, there was a lot of resentment for production managers. These people have the thankless job of making sure a movie is on-time and under budget. The analog of security people where they are given the responsibility of not getting hacked.
The resentment stemmed from a micromanaged approach where creatives had to go through production managers for all communication. They were seen as slowing down progress and roadblockers. They were also seen as second class citizens.
More on how they solved this later.
Building Security Culture
So how do we build security culture?
I was updating the syllabus for my Cybersecurity For Startups course, and came upon the security awareness section. Staring at it for a little bit, I was trying to think is there something different I can do. The security community has a variety of opinions on training, education, and red teaming and how to approach it, so I wanted to reflect on how I usually approach this and advise clients.
Thumbing through the other modules of the course, I remember having a section on Security Culture and that is pivotal to the success of a good security program. There it was: Double down on security culture, and everything else will come to play.
So security awareness training is a subset of building security culture. Yes, we need to have our training, but it HAS to be multi-modal and not just video training nor antagonistic.
Well, just the same way you build a company culture. Or the same you build a product culture.
Someone asked me once, how do you know you have a good security culture?
Some ways you know you have a good security culture
When people are internally reporting security issues and ideas to you
When people are excited to interact and meet with you
When people are proactive in their security efforts
How Pixar Removed Roadblocks To Innovation
How did Pixar know about the cultural issues they had and find the root cause? Well, they sat down with people and had open-ended conversations. In the end they let anyone have the ability to communicate with anyone else and then inform managers later. This broke down barriers and obviously increased collaboration.
As a security manager, allow your people to work with and communicate with other groups and update you accordingly.
As a non-security manager, empower and reward your employees for baking in security or reaching out to the security team to understand best practices.
Recommendations for building security culture
Think of the employee as a customer
Take on a product manager’s mindset and learn about their problems and workflows
Do not create solutions in a vacuum
Each interaction with an employee is a representation of the security team and the culture of security
Align with the companies values and culture
Talk, yes actually talk, with managers of all levels. Understand their world. Use as an opportunity to learn about them, but also educate/inform them about your concerns and the trending risks out there.
Don’t be pedantic or use FUD
Leverage people’s inherent altruism. People want to do the right thing, they just need to be enabled and informed
Enablement means reducing friction
Informed means being made aware, where they were not aware before
It takes six to seven interactions for something to stick
User a multi-modal approach
Live talks all-hands
Storytelling and Comedy
Relate it back to company incidents (where feasible)
Have open-ended conversation with people
Course Release: Cybersecurity For Startups
Want to learn all the tools and tactics of building security culture are your company?
Want to learn everything there is for managing security at a startup such as?
Securing Infrastructure and IT
Governance, Compliance, and Risk
Org structure for success
Building Awesome Product Security
Incident Response & Disaster Recovery Planning
This is an extensive live course of everything I’ve learned managing and growing security in the past 4 years at startups like Justworks, Masterclass, Casper, and countless other smaller ones.
Signup for Cybersecurity For Startups today and get $200 off the course!
Use code: cybermonday
Note: If you can’t make any of the dates, make sure to sign up for the waitlist.