6 ways to develop a security culture from top to bottom
1. Instill the concept that security belongs to everyone
Many organizations have the opinion that the security department is responsible for security. Sustainable security culture requires that everyone in the organization is all in. Everyone must feel like a security person. This is security culture for everyone. Security belongs to everyone, from the executive staff to the lobby ambassadors. Everyone owns a piece of the company’s security solution and security culture.
2. Focus on awareness and beyond
Security awareness is the process of teaching your entire team the basic lessons about security. You must level set each person’s ability to judge threats before asking them to understand the depth of the threats. Security awareness has gotten a bad rap because of the mechanisms used to deliver it. Posters and in-person reviews can be boring, but they do not have to be. Add some creativity into your awareness efforts.
On top of general awareness is a need for application security knowledge. Application security awareness is for the developers and testers within the organization. In your organization, they may sit within IT, or they may be the engineering function. AppSec awareness is teaching the more advanced lessons that staff need to know to build secure products and services.
3. If you do not have a secure development lifecycle, get one now
Secure development lifecycle (SDL) is foundational to sustainable security culture. An SDL is the process and activities that your organization agrees to perform for each software or system release. It includes things like security requirements, threat modeling, and security testing activities. SDL answers the how for your security culture. It is sustainable security culture in action.
4. Reward and recognize those people that do the right thing for security
Look for opportunities to celebrate success. When someone goes through the mandatory security awareness program and completes it successfully, give them a high-five or something more substantial. A simple cash reward of $100 is a huge motivator for people, and will cause them to remember the security lesson that provided the money. They also will be quick to tell five co-workers they received cash for learning, and those five will jump into the training quickly. If you are shuddering at the idea of giving away $100 per employee, stop being so cheap and count the cost. The return on investment on preventing just a single data breach greatly outweighs the $100 spent.
5. Build security community
Security community is the backbone of sustainable security culture. Community provides the connections between people across the organization. Security community assists in bringing everyone together against the common problem, and eliminates an "us versus them" mentality.
6. Make security fun and engaging
Last, but certainly not least, is fun. For far too long people have associated security with boring training or someone saying no all the time. To cement a sustainable security culture, build fun and engagement into all the process parts. If you have specific security training, ensure that it is not a boring voice over a PowerPoint presentation. If you engage your community through events, do not be afraid to laugh and goof around some. In my previous role, at each monthly security community event, we started the meeting off with a game of security trivia with a different security category each month. We did hackers in the movies one month and security news in another. This is just an example of how to bring fun and engagement into the process.
SOURCE:techbeacon.com
Comments