Does Security Have the Ability to Drive a Security Risk Aware Culture?

The other day I was drinking my morning coffee reading my daily security news and noticed an email that came into the Security Inbox. Here is what it said:

Good Afternoon Security Team – 

I have several large mp4 files I would like to move off my work machine so I wanted to give you all a heads up. There are 13 that I compressed into a 2.13 GB file which I am going to move to my personal Google Drive folder. 

If there is anything else I need to do before moving these files, please let me know. I am happy to send a screen grab of the files I plan to move. 

Thanks all. 

This simple email is an indicator of a company that has a “Security Risk Aware Culture”. A Security Risk Aware Culture shows up when you get your users to think about security before they take actions. Let’s dive a little deeper. At every company the role of the security team is to figure out what is the risk tolerance they need to drive throughout the organization. This is something that is typically set by the board, the CEO, and the Executive team. It’s our job as security practitioners to truly understand the risk tolerance the company wants to take and then drive this throughout the organization through people via education, process via constant monitoring and following up, and technology via the software you deploy. The goal is to constantly balance the right risk vs rewards for the company. 

Driving a security risk aware culture is the responsibility of the security team. There is no question there, but measuring how well you are doing is 100% tied to the actions your employees make. The security team alone cannot protect the company. Protecting the company and making the right risk decisions is something that has to happen throughout the company on a daily basis. Security is every employee’s responsibility. Pause for a moment and ask yourself these questions.

  • How often does your employee base reach out to security? Not the other way around. 
  • How do people talk about the security team when you are not around? 
  • Do your employees take actions to go around the security controls that are put in place? How often does this happen?

The answers to these questions are a good gauge as to how you are doing in building a Security Risk Aware Culture. 

Let me take a minute and talk you through our path here at Code42. I started with the company 4 years ago. At the time we only had 4 people in security and I can tell you, we were a department that constantly told our users ‘no’ and we did not have a fantastic reputation of building trust with our end users. If I were to answer the questions above four years ago, I can tell you I would not be proud of the answers. 

Let’s fast forward to today. Today I work with an incredible group of people across the organization that know that security is part of their responsibilities. They understand what it means to be part of the larger security team. They respect the controls that are in place and constantly reach out to the security team when they need help. They are aware of the risks and seek guidance on appropriate actions to take to continue to keep the company safe. So…how did we get from where we were 4 years ago to today? 

There were a few key pillars that we followed throughout our journey. 

  1. We stopped saying no and started explaining the risks. This simple action allowed us to focus on the risks that exist by taking certain actions. When you start to explain the “what could go wrong” or “risks” involved in a decision, you start to bring the company along and educate them to make the right decision. In some cases only explaining the risks was not enough, we had to show them. In these cases we leveraged or RedTeam employees to exploit a certain vulnerability. This type of activity makes it real for people that don’t live and breathe security like we do every day. This helps to take the theory out of the “what could go wrong” and show people the exact way things could be exploited.
  2. We stopped blocking productivity and starting monitoring and educating. We like to believe that people working for our company are good people, we were the ones to hire them after all. Most companies have good people just trying to get their jobs done. They don’t want to go around security controls or parameters, but let’s be honest…as security leaders we are all guilty of implementing a security control here or there that does not make sense, slows our users down, and frankly just makes everyone mad. We have decided to trust our users and operate in a ‘trust but verify’ way. We have figured out where we can stop blocking productivity and start monitoring for accidental misuse instead. When users make mistakes, because they will, they are human, we want to be there to follow up and educate them on the right way to do things. Things like spotting phishing emails, sharing data securely, and securing cloud resources become education efforts for our team. By the way, this is not solely the responsibility of our Awareness manager, it is a shared effort by everyone on my team to continuously educate the organization.
  3. We stopped solely driving the security mission and started being allies. At the onset of my journey here, the one thing that was not lacking was passion for security. But I’ve learned that that can be an impetus for security folks to want to wave the security flag at every opportunity, even some that may not require it. That passion, without the risk-based guardrails, can create adversarial relationships with our employees. Once we identified that, we turned things around using the steps above. We will never lose our security passion, that’s what makes this field so exciting, we just need to balance it with risk-based decisions in everything we do and to help bring our partners along with us. Chrysa Freeman on my team wrote a whole piece about becoming Allies with the company in a blog post linked HERE. Taking this approach within your company, not only is a more effective way to get things done, it is a way that ensures you have the collective company behind you. 

The role of a security team is not an easy one. It requires constant diligence and endless risk balancing. By taking certain steps to drive a risk aware culture throughout your organization, I can promise you that the role of the security team becomes easier and less burdensome. After all, it’s better to have the whole company watching for risks than just the people with ‘security’ in their title.