Security is a discipline that is forever changing. There are always new threats on the horizon and we are constantly warning people that software is never as secure as we might like it as we cannot predict the future. Be alert! Never let your guard down! Think like an attacker! These are well tread refrains.

The truth is, however, none of us can be a perfect sentry. Yes, there is a lot of security work that can be automated and integrated into the product lifecycle, but there will always be a human element and humans are not perfect. They can get bored, complacent, and rely too much on crutches that have worked for them in the past. Also, there are limits to the amount of information that a person can take in. A focus on security can get lost amongst things like needing to create new features or meeting deadlines.

So how do we make sure that security awareness is not lost? That all the training we spend precious treasure creating doesn’t get lost in the noise?

The answer is to systematically work towards creating a culture of security.

A healthy security culture is one where folks have internalized your security protocols to the extent that desirable security actions are the default. For example: suspicious activity on a server? Immediately report it to the incident response team.

Culture is what you do with the information, education and tools that you have been exposed to. Creating an organizational culture strong in security principles and awareness requires identifying deliberate behaviors, creating opportunities for these behaviors to exist, rewarding them, and measuring the result. This can often be achieved through “gamification”.

So, how did we use this technique effectively? We wanted to foster a culture of open communication about security. We want everyone to be able to join the conversation, but we knew we were going to need to find allies in order to make the conversation authentic and genuine. We created an e-mail distribution list and we started inviting everyone who took our training to join. We also encouraged our security champions to join as watchers and helpers for any issues on the thread.

After a while, it became clear that our black and brown belts (the most advanced trainees) were very active on the list, researching and answering questions that would have cost our dedicated Security Researchers valuable time. We maintain a program where we give spontaneous positive feedback to managers, and the brown and black belt holders are consistently at the top of that list for their participation.

Over the years, the list has grown considerably, it is self-mediated, and remains a thriving community where anyone can ask a question. It is the first place we go to make announcements about our security efforts, where we learn from across the company tips and tricks to help keep things more secure, and where we share the latest security news.

Let’s break down further what we did here:

  1. Declared goal – open communication
  2. Created e-mail list and advertised it to champions and thought leaders
  3. Let people interact without over moderating
  4. Reward participants with positive feedback, engage in their topics, and encourage public praise
  5. Keep track of subscriber growth

Here are a few of the many dividends that have come from this tool to encourage our open security culture:

  • Security issues or potential problems within our products can be more quickly identified
  • We are often made aware of cutting edge industry and academic research that might be useful
  • There is a sense of “community” amongst members of this list
  • It has become easier to spread information to the right people very quickly

As mentioned above, security is an ever moving target. Security culture efforts need to adapt to meet that target. The culture of openness example above is a broad target designed to change a complex set of behaviors. You can use the same strategy to address more simple behaviors – like badge surfing or locking computer screens. Prioritize the behaviors you want to change, then focus on them, reward people for even the smallest of victories and measure the difference in the occurrence of the behavior.

Josh Kebbel-Wyen
Sr. Security Awareness and Training Program Manager

DYK?, Major Initiatives, Ongoing Research, Secure Product Lifecycle (SPLC)

Posted on 06-20-2016