How to Create Good Security Culture and Why it Matters

Introduction

I had the great pleasure of being involved in a security panel webinar on cloud security and governance lessons learned recently.  This webinar is available on YouTube if you missed it. The discussion inspired me to dig a little deeper into some of those topics.

This blog will focus on our discussion on developing a security culture and will be followed by others on good security foundations and common pitfalls.

Security Culture - What is it and why does it matter

In my daily work and recent history I have worked with both SMBs and enterprises at different stages of their journey to cloud.  Whether an enterprise, with a security culture servicing your on-premises and cloud estate, or a SMB, focussed on producing a great product for your customers, your security culture is critical. UK government describes the aim of a security culture as:

“To develop a culture in which everyone in the organisation understands that they are collectively responsible for security and takes the right steps to support this. There should also be a collective understanding of risk management and responsibility, and the importance of the organisation’s reputation”

I would however go further and state that it is not just “reputation” at risk but the success of the organisation.  While there have been many scare stories of organisations collapsing after cyber attacks, these are far less frequent than organisations that end up haemorrhaging time and money as a result of an attack.  This has a real world impact on an organisation’s ability to remain agile/competitive, or attractive to customers and staff. Therefore, getting this wrong comes with a significant price tag.

Security culture is the aspect of security we do over and over again. By doing so it becomes our culture. As an example I once worked with a finance sector company who implemented a detection system that identified threats in their system, yet when the associate alerts became too numerous they disabled the alerts.  Their culture was to have the tool in place, not to make use of it to address security issues.  Culture is what we do everyday until it becomes our normal operation.

So how do we create a good security culture?

It starts at the top of the organisation with leaders who commit to making the appropriate level of security a priority.  These leaders also need to empower security to be done in all levels and areas of the organisation, it cannot be done on the side by a single team e.g. security, IT, risk & governance, etc.  These teams can lead, guide and manage guardrails but security is implemented in every role.

This approach gives other levels of the organisation permission to challenge when other priorities threaten the security of the organisation.  That is not to say that security must override all other business drivers.  It needs to be one of the drivers that is considered alongside other critical ones such as cost effectiveness, customer demand and business sustainability.  I have encountered many organisations big and small who make critical business decisions such as product launch timelines, infrastructure design, implementation mechanisms and product selection without a balanced approach. I often say “people have the right to make a bad decision, as long as we make it an informed decision” so the customer who chose to launch with weak encryption was fully aware of the risk they chose to take.  As security professionals we are not always privy to all aspects of decision making and can sometimes feel we are shouting at hurricanes.  We need to make our voices heard through using proper business language and tools, but accept that sometimes these other factors are more critical.  This includes ensuring that risks include a clear explanation of how it will affect the business if the risk becomes an issue.

In my experience, I have had customers who were unfortunately forced to launch their service without the government approved pattern for encryption services in place.  This was to allow the service to launch and be available to make citizens' life better but the pattern in question had not yet been developed.  We took a risk based approach, understood the risks and accepted that the risk of not launching was greater than the risk of waiting for the approved pattern.

In recent years I have seen businesses have to accept a degree of suboptimal cloud operations due to compelling events such as data centre closures, imminent hardware renewals and new compliance regulations.  Having a culture of understanding and communicating risk as well as balancing security risk with other business drivers allows us to adopt a pragmatic and achievable approach.

To address concern previously mentioned, during the webinar myself and other panel members discussed key elements such as :-

• Telling stories in the organisation to help embed the collective knowledge not just in the current staff, but also new staff joining the organisation. They hear our stories and understand why the culture is how it is.
• Securing the process not the product - we live in a world where products that we produce change on a monthly, weekly or even daily basis and even if we move slower than that, how quickly does what we use change?
• Don’t push people to get things over the line at any cost - empower them to take a balanced approach to decision making, including the security impact

Conclusion

In conclusion I hope I have given you some insight into what a security culture is, why it’s important to your organisation and how to achieve it.  Whether you are a senior leader looking to secure and evolve your organisation or a security professional moving into new areas (such as cloud), I wish you well on your challenging journey.

If you’re looking for assistance with that journey then come and talk to us.  Whether this is to improve your security architecture, monitoring, alerting or observability then get in touch! As an AWS Advanced Consulting Partner, Cloudsoft will help you design for success and improve your operations fast, including reviewing, implementing and helping you upskill.

Useful Reading

• Improving security culture - A guide for government security teams: UK government guidance to teams on the benefits and creation of a security culture.  This gives a clear perspective on how this is not a technical issue as well as how to engage the different critical stakeholders.
• AWS Well-Architected Framework - Security Pillar: Clear guidance on security in the cloud with mechanisms to understand and evaluate your governance and culture throughout.
• Creating a Culture of Security: NIST blog post explaining that the purpose of cybersecurity awareness and training efforts should be to create a culture of security.