It's easy to think of software security as something related to code, but we must remember that it is equally as much a question of people. Security must not become a purely technical exercise. The human factor is central, but can often be the most difficult thing to address. Let's look at how we can create a security culture, and how this can be an important part of your security work.
7 min read
By Hans Kristian Henriksen
December 1, 2021
Before we talk about why we need a security culture and how to create it, we should define what it is.
A security culture is a culture where:
We want to create a workplace where all of these are present and central to being a part of the company. While some of these factors are quite obviously part of making a company more secure, some of them might not immediately strike us as important for security.
Why is it important that making errors is ok? Making errors in security tends to be bad, should we not foster an environment where making errors is discouraged? While I'm not saying that we should make mistakes on purpose, I am saying that we should not punish, admonish, or in any other way discipline those who make them. Making mistakes is human, and everyone at your company will make mistakes, small or large. How we treat people when they make mistakes is critical in forming their actions, and how they try to fix their mistake - or hide it.
A security culture is an essential part of any organisation that creates anything that requires any amount of security. If you process personal information, create physical products for the medical sector, or just need to ensure that competitors can't copy your newest ideas, you will most likely rely on multiple layers of technical security measures. But these are worthless if the people in the organisation can easily be tricked into clicking some phishing links, will let anyone into the building, or just don't understand the reason for the security measures, and find workarounds.
We create a security culture because we recognise that any system that has a human component, has humans as part of their security model. As such, we must secure also these human parts of the system, and that is best done by creating a security culture.
Creating culture is extremely difficult. If you have ever tried, you will know that you can't just tell people "In this company, our culture is to be kind to one another". Sure, that might plant a seed for some people, but culture is a fluent and dynamic thing. It evolves in the interconnectivity between people, and only a continuous effort can steer it in a specific direction. I believe that the four most important things a workplace can do to promote good security culture is the following:
First and foremost, I believe that security is more about awareness than anything else. Security in the digital information age is extremely complex, and most people have no intuitive concept of information security. Continuous training, small everyday tips, and a general focus on security in all tasks, not just those that are directly related to security work, is needed to ensure that everyone feels that security is part of their jobs. When something is talked about by everyone in an organisation, regardless of role, leadership responsibility, and responsibilities, it becomes part of the identity of the company.
People need to feel safe in a workplace in order for a security culture to work. We are asking people to ask questions and be curious about a difficult and abstract field. This will lead to a lot of questions that people will feel are "stupid", and we will have to explain basic concepts. Unless everyone has the necessary psychological safety, you will never be able to create a security culture.
Unfortunately, making sure our products are secure takes time. Time that could have been spent on new features, customer support, or other improvements. Most teams have more tasks than they could conceive completing. Stacking a pile of security related tasks on top of this is often not possible. We need to create enough slack in the workday for the team to be allowed to think about, discuss, and work on, security.
All the previous points require one thing: Good leadership! However hard employees might try, they can not by themselves create the necessary focus on security in all parts of the organisation. They can not create the psychological safety needed, and it is their bosses that must create the slack in their workdays. This is, as all leadership, an ongoing process. Do not fall into the trap of thinking that once a good security culture has been established, it will sustain itself indefinitely. If you take your hands of the steering wheel, do not be surprised if these success criteria vanish before your eyes!
I feel that the project I currently work at has a well above average security culture, so I thought I would share some stories that show what good security culture might look like in a normal workday.
As the head of security, it is my job to ensure that we work every day to make a more secure product. But I can't do that alone, it requires that everyone is onboard. When a new feature is developed, the first time I usually hear of it is when a developer from the team in charge reaches out to me. Usually, I get a description of the feature, and then some reflections on the security implications, if any controllers are to be implemented to mediate some of the risk, and questions they might have.
Almost always, this conversation starts because the team have thought about security when designing the feature, and decided that they need to make sure that they have thought about all relevant issues. Sometimes we follow this conversation with a formal security review, sometimes the changes are so small that it's not necessary. But the most important thing is that the security of the feature has been thought of from the start, making it integrated into the solution, not slapped on top at the very end.
Security culture also relates to the non-technical interactions we have. Such as when there is suddenly someone in the office, wearing work clothes and appears to be working on the ventilation system. Most places, this would be something that is briefly registered before people return to their work.
We instead have people immediately asking the worker who they are, and what work they are doing. Then, our office manager is called to validate that we or the building owners have indeed ordered the work to be completed. This ensures that someone can't just show up at our offices looking like a contractor and walk around undisturbed.
Finally, when your security culture is good, people are not afraid to ask questions when something seems a bit off. I get lots of questions that start with "I don't think this is something dangerous, but I want to make sure". This is excellent, both because some of the things people experience are actually things we would like to do something about (phishing, unusual requests from vendors etc.), but also because there is a lot of learning for everyone in these situations.
If you read this and want to do something about your security culture - you can! Look at the 4 factors I have mentioned that are part of creating a security culture. 1) Focus on security awareness, 2) Create a feeling of safety, 3) Ensure slack in the workday and 4) Promote good leadership. Spend a couple of minutes thinking about how your company could improve. Perhaps you could send a short security email once a month about a relevant topic to the entire organisation? Or maybe as a leader you can ensure that developers have the time in their day to patch those security flaws they know about, but never get around to fixing?
Building a better culture is not about monumental actions, or large transformations, it is about the small conscious steps we take every day to move in the direction of a more secure company.