Esteban Hernandez, Specialist Solutions Architect, Security, Amazon Web Services (AWS)
Security has evolved from the sole responsibility of one team to that of the entire organisation. It must become a part of an organisation’s culture with every employee embracing security and using it as a positive framework for behaviour, building technology, and decision-making. After all, an optimistic, proactive, approach is vital to build an organisation where security enables the whole business to move faster and stay safe.
Creating a culture of security is the future, but what does it look like in practice and how can organisations ensure they are following effective guiding principles to keep them on track? What can you do today to promote a positive security culture?
What does a culture of security look like?
A positive security culture is one where the security team works collaboratively with the rest of the business. If we assume that people want to do the right thing then we should make the secure option the easiest option. This goes beyond looking at the technology, to looking at the people who use it, and the organisation’s culture.
Traditionally organisations treated security as a gate to pass or something that was bolted on at the end of a project. It was the responsibility of people with security in their job title. By contrast, successful businesses think of security and resilience positively, as fundamental to a company’s culture, and as a concern for all enterprise executives, managers, and employees. This approach ensures security is central to all daily business processes, increasing resilience and improving the organisation’s ability to respond if there is an issue.
To create a culture of security, businesses must follow ten key principles, five of which we will outline in this blog:
Education: This means keeping your workforce skilled up on the available technology, seeking advice from security specialists, and working to understand security policies and rules. Doing so maximises every employees’ ability to be the first line of defense in their company’s security program, cutting down the chance of simple errors that could result in a security issue. It also includes setting the expectations for the whole business, be it security configuration that should be implemented by application developers or the patching responsibilities of product owners.
Hygiene: Good security hygiene is vital to preventing basic mistakes turning into security threats. As such, employees must understand the dangers of poor security practices, such as sharing user accounts and passwords. Meanwhile, businesses need to ensure the access systems they have in place facilitate secure practices. For instance, AWS services offer temporary credentials that can last minutes or hours, after which they will no longer allow system access. This tightens control over service access, reducing the likelihood of unintended access to business data.
Learning from issues in a no-blame way: There will always be issues with humans and the software they build. The important thing to do is learn from the issues and take action. Creating a culture where root cause analysis is done objectively and without blame helps create the ability for an organisation to learn. Don’t ask whether the person made a mistake, but instead ask what could be done to ensure that the right choice is made next time. You also want to have a culture where people are comfortable raising security issues because they know they will be supported by the security team.
Meet your people where they are: Working with your developers will help you understand the processes they go through to build and release software. This will help security to understand where they can enable developers to make good security choices, or inherit capability so they can focus on business logic. For example integrating your cloud platform with your corporate identity provider and making sure that developers can create permissions within understood guardrails helps remove security as a gate. Providing automated checks that run in pipelines can give early feedback to developers to help them build to the desired security posture.
Metrics and monitoring: Being able to measure your security posture and give people access to data is good way of communicating and understanding where the high performing parts of your organisation are. If you can identify teams doing well or building innovative solutions you can expand their use across the business. Telling people what they are being measured against and giving them tracking tools promotes a culture of ownership which reinforces the positive security approach.
A culture of security will significantly improve an organisation’s’ security posture by becoming the framework through which all employees behave, build technology, and make decisions. However, for it to be a success, companies need to take a structured approach to introducing the framework. A culture of security is based on education, hygiene, threat modelling, and all employees working together as a unified team. Do this and your organisation will improve its security posture, set you above the competition, and keep your data safe.