With cyberattacks becoming more frequent and costly, not to mention the additional challenges inherent in securing a remote workforce, it is more important than ever that organizations build a culture of security. This of course, isn't a new thing to say and yet it keeps needing to be said. So, why haven't we solved this yet?
Part of it is that the work never stops. It's like leading a healthy lifestyle; regardless of how fit and healthy you get, you never arrive at a point where you can just stop making healthy decisions and stay healthy. What makes it more challenging is trying to get a whole organization on board with making all the small decisions to stay secure.
Don't Be the Team of "No"
Security teams are often seen as the team of "no," or like the doctor telling you that you should really cut out salty foods entirely. You might agree in general, but how realistic is it that you never have salty foods again? If rules are overly restrictive or they make tasks significantly harder, people are going to cheat the system. We have to find a way to have more carrot and less stick. We have to pave the road for employees so that security isn't a chore.
It is absolutely important for there to be training on phishing attacks, use two-factor authentication, and regularly change passwords. But how could we simplify this process? I'm a big fan of companies giving employees a subscription to a password manager. This solves one of those concerns while arguably making employees' lives a bit simpler. It's very much about building a two-way street rather than being a hardened gate. This allows us to start building in processes alongside other departments that make sense for their workflow. These processes will change from company to company, but the key here is to look for ways that security can be improved while also improving the workflow for employees in general.
One of the biggest reasons security teams are bypassed is that they hinder agility. There is nowhere this is more true than on the development team. I have worked in the SaaS space for some time, and the development team's ability to deliver, and deliver fast, is the core of what will determine a company's success or failure.
However, developers are notorious for finding ways around security protocols because the protocols slow down how fast they are able to launch applications. While some security teams might see this as a failure on the developer team, I see it as a failure of the security program. SaaS companies must be able to deliver applications at the speed of business while also being secure. It's the security team's job to be the security coach of the organization and that involves implementing policies that don’t hinder the developer's ability to do their job.
As one example, developers often use open source to avoid recreating functions that already exist and are easy to plug in. The danger of this, however, is the source of this code. There is plenty of malicious code out there, and we have seen even some of the most talented developers fall prey to it. To prevent this, organizations should prioritize creating internal repositories of vetted code that developers can pull from. If the organization isn't of the size to create their own internal repository, they should look for vendors who provide scanned code libraries. This way the developer workflow isn't impeded, but it is nonetheless made more secure.
Break Down Silos
Another key step is to build the culture so that security belongs to everyone within the organization. Anyone who touches a computer has to be security aware. While the security teams have to be able to work with different departments and effectively integrate into their workflows, it must still be a collaborative effort. When it comes to enabling the development teams, I recommend building a security champion (or security liaison) program. This gives security a seat at the table as the developers are designing applications and planning work.
Establishing this program as early as possible in your organization will increase your awareness of what is going on within different development teams and ensure security does not become a bottleneck in the software delivery pipeline. Finding people to buy into this model from other departments is as good as gold for security professionals because the advice always goes down smoother when it isn't coming from the security team directly.
The challenge of course is finding individuals who are willing to take on the extra work of advocating for security, but in the absence of a champion, look to at least get liaisons to the different departments. The simple truth is that security teams are stretched too thin to be the one and only protection from malicious actors, so we need to get buy-in from the rest of the organization.