From Enemies to Allies: Addressing Security Culture Clashes in Your Organization

In last week's piece, I addressed the different types of security cultures within today's organizations. You have your "security bullies" -- the teams that refuse to compromise with other internal stakeholders in the business when it comes to implementing security policies, in turn only inciting teams to find insecure workarounds and loopholes. And then on the other side of the spectrum, you have the "elephant in the room" -- when business teams only see security as stifling agility and innovation, refusing to include them in critical conversations. In both cases, both sides of the table need to become allies to the business and each other. Let's talk about how we can get there. Getting equipped for the conversation
At this point, many may be thinking their task is simple: Don't be a bully if you are, or simply make yourself heard if you are the elephant. The truth is, this isn't something that is going to be fixed without a more conscientious approach. Before you embark on getting to the table in partnership with the business, you need to learn more about the importance of your job. You need to be prepared to explain to the rest of the company why security matters. Understand how defense has evolved
The traditional approach to security has been the same for a millennia. It was employed by the Roman legions and is employed today in our businesses. Often called "defense in depth," the strategy consists of sequential layers of defense meant to weaken the enemy and finally, defeat it. Where there were once castle walls, moats and battlements, there are now physical security, firewalls, authentication barriers and more. This approach to security is really not a mystery to the business. In fact, most of the folks in the business would probably describe security in this way.

On top of their understanding is the expectation that this can and should be done silently and transparently to their daily operations. Perhaps they have not been reading security blogs lately.

Have you heard any of these phrases before?
"They are already in the walls."
"You've already been hacked."

There seems to be enough evidence in the wild that our traditional approach to security hasn't been working. We all need to begin rethinking security with an understanding that an evolution and revolution in our approach is necessary. This revolution requires that security begins to understand the business and that the business actually has a stake in security too. It's our responsibility to explain this to them in the simplest way possible and open the door to new and positive relationships.

Identity in depth
To put it simply, not having a robust perimeter security solution, competent authentication and even multi-factor authentication would basically tell me you were being negligent. But as we all know, it simply isn't enough. Today, each defensive layer in the organization needs to be augmented with identity. The layers alone are simply not enough. Firewalls and VPNs need to be checking for more than simple credentials; rather, they should be aware of who is connecting and what this user's capabilities are in the business.

Applications can't simply react to basic role-based access control logic, but rather must be supplemented with separation of duties and toxic role logic you get from an IAM solution. Web portals can no longer rely on simple SSL and authentication, but rather understand if the connecting user matches what we know about this user's typical forensic thumbprint. In essence, the only defense we have for the new breed of hacker (who is really just a modern "identity thief") is to always have identity front and center. It is this revolution in defense -- from defense-in-depth to identity-in-depth -- where we can begin to change the conversation.

Starting over
Again, our goal in security is to be an invited and trusted member of the business discussion, but both of our troubled security cultures above have a similar problem to fix. Whether your team has been bullying the business or has been seen as irrelevant, we need to re-introduce ourselves. Put your kingdom-building or your meekness aside and tell the business: "we need to talk."

The conversation can go something like this:
"The traditional approach to security has changed and I realize that we've both made some mistakes." Explain how you understand what the business thinks about security and that it makes sense to you, but then take some time to talk about the dangers of a security breach. Do this in a way that doesn't present tales of doom and gloom, but speaks to critical business issues that matter to them. (Typically people don't like drama.) Instead draw on recent examples of intellectual property theft, customer distrust and big losses to the bottom line -- all things that they know and understand, and more importantly, can hugely impede the business. Take some time to explain how the practice of security has evolved, and how through the concepts of identity-in-depth, we both have our best opportunity to stop them in their tracks. Now comes the easy part: Tell them how important they are!

The business is essential
As security team members, we can freely admit that we're not really experts on the tasks, goals, and issues that our business leaders deal with. This is why you need to explain that in this new world, business has a greater say in how our security posture is designed. Only the business knows who needs access to what function or which roles should be granted only with approval from the boss. Explain to your new partners that you are there for them and that you need to make decisions together that can satisfy the requirements of the company in general. It is because of the change in the threat landscape that you are here and that we need to build a new relationship.

For the bully in the room, your approach to security has done more harm than good. This redefinition of our goals in security give you an opportunity to repair your relationships and start working for the good of the business. Educate your team on a business-centric approach to security and teach them that changes made to the organizations simply cannot interfere with the goals of the business.

For the elephant in the room, your time spent away from the table must come to an end. We can't begin to embark on a new security relationship unless we are actively spending time to understand the business and you need to look for those opportunities. Listening at first, waiting until you feel you are beginning to understand, and then making the bold move to suggest partnerships that you know solve the problems the business has.

Building the trust that has been missing for so long is simply the first challenge you need to conquer. Only after that can we begin to tackle the technical problems that we face... and with our new partners.

— Joe Campbell is principal security advisor at identity and access management company One Identity. professional career spans innovations for some of the world's biggest companies, and he's pioneered new, award-winning technologies in wireless, RFID, visualization, communications and telephony. As a trusted security advisor, his unmatched experience in security and software architecture makes him a highly respected leader in the technology industry.