There is so much talk nowadays about building a culture around security as more people point the finger at the "human layer" as the reason their security program struggles. There are also new companies popping up that center exclusively on security awareness and culture initiatives.
This wave of interest is, in my opinion, a positive sign of the industry recognizing that its problems are not exclusively rooted in technology. Anyone who's been involved with a significant culture change will tell you, it's not easy, and there is no specific recipe for success. My goal with this post is to outline seven things to be mindful of as you embark on your own security culture change in your organization; each of these things is a tipping point that can help your initiative sink or swim. This post is not the "top seven" or maybe even the most critical seven depending on your organizational context. However, they are real and worth your attention.
Embarking on a culture change initiative frequently starts by defining and kicking off a series of activities which are related to the ideal end state. This makes a lot of sense, chipping away at a big hairy goal by breaking it down into small bitesize chunks. However, where I've often seen (and experienced) this approach struggle is when these activities are not closely aligned with:
- The other events happening in the culture change initiative
- A broader security strategy
- The broader company culture, mission, and strategy
Making sure that you're not sewing confusion by introducing things that conflict with one another is really important. To this end, you need to think outside of the security organization, to the company culture and mission. You might even need to think outside of that towards the industry or geographic area you reside within.
When things are aligned things will build on other things instead of competing with them. Take the time to make sure you're spending your time on the right activities before diving in.
Peter Drucker, one of my favorite authors on management and leadership theory once said, "what gets measured, gets managed." Having clear measurement criteria for the change you're trying to create is essential as it:
- can help propel your initiative forward if you're actively measuring and taking action on things, or
- can ensure that you're blindly doing things without really knowing if they're succeeding or not if you're not measuring things (or measuring the wrong things).
There's a lot of measurement tools out there in the business world, one that I've grown to love over the years is OKRs (objectives and key results) after working for a John Doerr company. You can learn all about OKRs through these resources if you're so inclined at the following links:
The idea is that you establish an objective that is relevant to advancing your cause. You then develop actionable, measurable criteria (key results) to gauge whether or not you have succeeded or not.
Where is culture change coming from? If HR teams or a CSO are driving culture change, it's almost certainly going to struggle. Culture is inherently an organic result from the way that everyone in a company operates, the process, the problem solving, the hustle, the fun, the communication, all of it. While the CSO or someone in HR can, of course, have a tremendous impact on culture, they alone can't control it.
Look for opportunities to incite change from the bottom up. Capitalize on people who have an interest in security and the way they vocalize and socialize that.
Too often I've seen security initiatives begin out of nowhere relative to what's happening within an organization. Somebody saw an impressive conference presentation or got a tip from a peer in the industry. If no existing momentum corresponds to the desired change, then you may run into challenges.
I've typically found it useful to find ways to capitalize on other things happening within an organization. Is there a significant new strategic initiative happening? Is there a re-organization about to kickoff? Is the company rolling out a new tool across the company? Look for opportunities to align the change you want to create with what else is happening at the organization. If there's alignment, then you have momentum you can capitalize on.
5. Personal commitment and incentives
For anybody to change, they need a motivation to do so. Sometimes that motivation can come from external sources, such as a directive from a manager, but those are often shortlived. Intrinsic motivation, that which occurs from personal interest and motivation to change, is much more powerful and can last for the longer haul.
Since you don't wield the power of brain control in your role on the security team, designing incentives can encourage intrinsic motivation from others. Incentives can come in many forms, here are a few:
- Stickers or t-shirts
- Cash bonuses
- Social recognition across the company
- Time off
- Social outings (dinner, happy hour, escape room, etc.)
- Trophies or other objects that correlate to performance
- Challenge coins
If your program lacks incentives that are intended to motivate others then instigating the change you want can be tricky.
6. Communication silos
If communication within your company occurs within a series of vacuums, then you could find that culture change is challenging. For example, does your security team like to communicate on private channels only, how about engineering? How often do people on those teams talk to one another?
If people aren't openly talking, sharing ideas, challenging one another, and collaborating, then it's likely that a security culture change is going to occur within a vacuum. While it's entirely possible you can take the "land and expand" approach, you can probably expect some hardship.
I would strongly recommend working to break down these barriers before you try to initiate any significant behavioral change between these various groups.
7. Eating your own dog food
If the security team expects others to be writing code securely, patching their servers, and doing all of the other best practices, then they need to do the same. Throughout my career I've witnessed many security teams who don't follow their advice, they don't eat their dog food. Security tools get built to service some specific use case, but then the servers don't ever get redeployed, the code doesn't follow secure coding guidelines and it's not integrated with CI.
One of the best ways to get others onboard with behavior change is to model that change yourself. Make sure you take this seriously if you're trying to change teams collective behavior when it comes to security practices such as secure coding, patching, maintenance, etc.