How do we scale security in development where resources are scarce? The typical answer is via automation, but how do we automate people?
Having worked in security for a few years now, I often find myself with much more work than time. For instance, when I started as an analyst, I had about 10 application teams working with me to ensure security requirements and testing were completed. When I left that position, I had 40 teams requesting that I help them secure their application.
The problem: I am not scalable.
This led me to wonder: how can we support individuals who want to be secure in a way that is scalable? One answer is collaboration.
People can’t be automated, but we can deputize security across the organization. The right way for Code42 was to start by trusting developers to “Do It Right” while they “Get It Done”. We can allow developers the autonomy to learn how to code securely. We can also rely on them to run static code analysis tools and entrust them to include this within their deployment pipelines. If we give developers a safe place to address security concerns, we can achieve more together.
As an added bonus, security no longer blocks anyone’s work. We can simply be available to developers when needed to review any findings or concerns.
Because they have addressed the low-hanging fruit, developers are able to address the hard questions about security: where and when it can and should be applied.
Developers are the experts of their domains. They know how security modules will impact their application, and they know where that can happen in their implementations. Furthermore, have you ever looked for a security professional with extensive software development experience? It can be like trying to find a unicorn. If you’ve found one and happen to work alongside them, consider yourself lucky.
At Code42, we have a Security Guild made up of volunteers from each development team along with members from the security department. These are the folks you want participating in the guild, as they have a general curiosity for how security affects the projects they’re working on, and can take their learnings back to their teams.
Each team’s representative becomes the security expert on their team, and the guild meets regularly to discuss security-related topics. Each representative brings questions and concerns from their development team to review as a team.
The security team benefits, and the developers do too!
The security guild allows developers to grow their skill sets. The security team benefits from the visibility into the security concerns of their developers. Together, both identify and develop solutions as they collaboratively address their concerns.
A great example of this partnership is when we gear up for the annual Secure Code Review training. As a guild, we review the questions, add new ones, and customize them to topics relevant to us in the current moment. We also take time to have honest conversation on whether the questions are confusing or biased and work towards a better question. This collaboration across departments ensures that we continue to further strengthen our relationships and bring value to one another.
How do you scale your security engineers?
My take: I’ve been in this role for a few years now, and I’m still learning and growing. I think the most important thing is to be engaged first. Learn how developers receive and do their work. Choose courage and be the person who asks the “dumb” questions. Find balance and hold each other accountable for security. Lastly, discover ways to be collaborative within the organization, because together we win.
At Code42, we are lucky. Our company’s dedicated and engaged employees drove the success of the Security Guild. We’ve encouraged everyone to see security as part of their responsibilities and inspired our most security-curious employees to educate themselves and grow their skills. With great minds thinking together, security is achievable.
Why create a positive security culture in your organization?
There’s a lot of buzz these days around having a positive security culture. It was the basis for conversation at this year’s Forrester Risk Summit around Trust. And it’s a key factor in the new Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Program Goals (CPGs). The benefits are aplenty; reduced friction between security and other departments, increased collaboration with users and an overall improved working environment, to mention a few.
Despite these benefits, there are costs. Moving your team from a traditional security approach to embracing a new way of working, not to mention a new way of interacting with others around the company takes intentional effort and may not happen overnight, especially if you’re coming from a “no” based security culture. But it can happen and is doing so at increasing speeds across the security industry.
How to create a positive security culture
While every organization will have its own nuances and cultural norms to consider, there are foundational elements to establishing trust and creating a positive security culture – we’re going to give you a roadmap and outline them here.
Part 1: Have a Vision
Critical to most organizational success is having a strong and well communicated vision and mission. CEOs proclaim them from the mountaintop and share them on their websites so customers and potential talent know where they stand, what they are about and where they are going.
This is key information to keep everyone driving toward the same finish line and for top talent to consider whether your company will be a good fit for them or not.
I think most CEOs would agree with this statement:
According to a study by Bain and Company, organizations that align their vision and mission statements with their strategic plan perform better than those that don’t plan their vision and mission statements carefully.*
Some organizations and boards hold tight rein of the mission and vision statements and wish to have only company-wide statements to avoid confusing employees. Yet if those statements help drive success for the company, something similar that roles up to those for your department will help everyone to stay focused on the same goals.
So, maybe we call it something else such as a Team Brand Statement like those used for individuals as they grow in their career paths. This is what our CIO/CISO did at Code42 and it has become The Way or guiding light for everyone on her team. I can tell you it has shaped our security culture in the most magnificent way and at the same time it helps drive productivity.
Part 2: Develop and Implement a Security Team Brand Statement
When building your team brand statement you’ll want to keep it strong, succinct and catchy so it is easy for everyone to remember. It should help others understand what your team does, why it does it, and what makes it successful in building a positive security culture.
A good team brand statement keeps the main goal front and center. What do you want to be known for or remembered as? For instance, as a difficult team issuing roadblocks or a partner team helping departments meet their goals and solve their problems more securely.
Another key aspect of a good team brand statement is clarification of your guiding principles or what you believe in that drives all projects, interactions and decisions.
We are known as trusted experts who create and maintain a world-class program by building trust and transparency with our stakeholders. We transparently share how we watch data to help build trust with users.
We support a positive security culture by presuming positive intent when risks occur. We are empathetic listeners as we partner with users to lower risk to data. We are enablers of a collaboration culture while keeping the company safe.
Once you have a draft brand statement, partner with whomever you consider to be your trusted advisors for feedback. Ask them:
Are these the top level items we should be striving toward?
Do these position us well to support the success of the organization?
Is this something we would share with our stakeholders and partners?
Are these straightforward and actionable for the team?
Are these memorable?
Take that feedback, run it by the leaders on your team and ask them the same questions. Allow a good amount of time to really dig into it. Consider doing an offsite event around it. Remember, this is important in shaping the culture of your team, so spend the time to get it right.
When it is ready for prime-time, share it with your entire team, going over each statement and adding examples for clarity. Give them a chance to weigh in and provide feedback. Make adjustments as you see fit given the feedback you’ve received.This should now be in its final state and ready to rock and roll.
Part 2a: Implement your statement
Help your team keep these goals top of mind by posting it where it’s easily accessible to them, perhaps in a corporate communication or collaboration tool. If y’all are now coming into the office at least once a week, post it on the wall!
Your brand statements are only good if they’re actually used. When you see small acts by members of your team that align with any of the statements, celebrate it! Calling it out as a win to the rest of your team will breathe life into your statements as the team sees you noticing their positive behavior. As you see more and more of your team rallying around the statements in everything they do at work, and through partner and user feedback, that’s when you’ll know that your Brand Statement is truly alive and well.
Part 2b: Repetition and reminders
As with anything new and especially when we’re seeking behavior change it’s important to help the team keep the Brand Statement top of mind through reminders. Daily is too much, but maybe a quick reminder at monthly meetings at first, spending just a moment on them. Once the team is operating successfully with the statement, you can reduce reminders to quarterly as a check in to keep the statements top of mind.
Use an annual review cycle to keep your documents in line with business changes so that your statements don’t become stale. Doing so annually helps set an expectation from your team on when they might expect updates or changes to the statements. Conduct ad-hoc changes only when absolutely necessary to reduce change fatigue.
Part 3: Build Trust – Every. Single. Day.
Another key component to a positive security culture is to build trust across your team. Trust starts from within the team and then extends outwards to users and partners across the enterprise. Only when employees trust the security or risk team will they come to them with questions, comments, or concerns. As most security frameworks include training employees to report concerns, users are more likely to engage with your team if they’ve had positive interactions with them. This Harvard Business Review (HBR) article on trust sums it up perfectly, “In short, to boost engagement, treat people like responsible adults.”
Positive security cultures and Insider Risk Management (IRM)
As you build an Insider Risk Management (IRM) program, the components above will work towards its success. You’ll want to consider using empathetic investigations which are uniquely different from traditional security investigations since you’re investigating your colleagues rather than external actors. It’s the right approach if you endorse a positive security culture within your organization. But as with anything, if it doesn’t match the culture of your team it will fall apart. So, first things first, let’s get your security or risk team on the same page with your vision of a positive security culture. For instance, if users get positive replies from the security team every time they reach out with questions or concerns, your insider risk team will be met with a more cooperative user when they reach out to them when, say, the user puts data at risk. It can mean the difference between the user panicking and denying any knowledge of the situation to someone who does not feel intimidated and is therefore more likely to cooperate quickly and transparently.
Of course, there are many more factors to consider when adopting a positive approach, including the benefits of transparency along with trust, which you can read more about in a recent Code42 blog post on the three “T’s” that define an IRM program.
Change can be challenging so have some compassion and remember, when you see someone on the team not adopting the new team brand, take the moment to highlight how they may have responded differently as soon as possible. Old habits are hard to break so it’s easier to simply replace them with new habits or incremental changes. You can read more about breaking and creating habits in B.J. Fogg’s book, Tiny Habits.
Acknowledgement
Most of the ideas expressed here were generated by way of our Chief Information Officeer (CIO)/ Chief Information Security Officer (CISO), Jadee Hanson. She has created a highly positive and productive security culture using several tactics based on a strong brand statement. Many thanks to Jadee for leading the way in a functional positive security culture!