I've worked in information security for over two decades, and I can tell you firsthand that instilling a culture that puts security first in all organizations, not just the ones that traditionally have a role in security, is a challenge. There are, however, a number of leadership techniques that will raise security awareness in any organization of any size. Here are four tried and true strategies.
Strategy 1: Team Building
Your immediate priority is getting to know your current security team and scaling it quickly but pragmatically. One of the biggest dangers in any new job is to move too quickly and "make a big entrance." Not me. By looking at the superb internal talent, my team has been able to swiftly and strategically build out our security organization while doubling down on the best practices that were already working.
Part of my philosophy is that it's imperative to show value in a security team quickly. We are not a revenue-generating team in the usual sense, but we do provide a valuable service to our customers, both internal and external. At the end of the day, the most important asset in any company is the employee base. It's critical that everyone in your company understands their role in security. Employees are the strongest link, and also the weakest. Clear, concise communication is vital to making your security program successful.
Strategy 2: Extend a Security Mindset
Whether you are a developer, an HR expert or a lawyer, it's important that each employee understands their role in the security world. Conversely, trying to force change by lecturing and shaming people on their security or lack thereof will rarely elicit the results you want. Instead, make security a shared focus by inviting all departments into the security organization.
At MongoDB, I am building a security champion program. We have volunteers from many teams, globally, who are willing to become the "security champion" for their group. This includes the opportunity to meet directly with security leadership on best practices and to incorporate those security practices within their particular business unit. These volunteers already have an interest in security and their outside perspective helps diversify the security organization. They can act as a conduit between internal teams to help break down silos while shifting security to a shared goal.
Strategy 3: Learn — Continuously!
It's important to maintain a sense of curiosity as a security leader. Everyone on your security team should attend at least one training class a year, either internal or external. My team currently attends seminars throughout the year taught by third-party experts on topics such as cloud security, authentication, and container security. Our less-experienced security personnel have the opportunity to learn a new skill and grow in their role. To help with this, we offer an outstanding program called New Hire Technical Training. This is a week-long intensive training class attended by all engineering staff, including a pre-program containing approximately 100 hours of homework.
I am also working with our team behind MongoDB University, a free online training platform on MongoDB best practices, to enhance the existing security content for the class as well. To get an entire organization prioritizing security it is critical to provide a number of low-friction channels to educate and train your employees.
It's also important to recognize that many people from nontraditional backgrounds have the critical thinking skills to be successful security practitioners. It's our job, as CISOs, to identify those with a natural aptitude for security work and give them the opportunity to expand on that skillset with formal and internal, peer to peer training. Stepping outside of your infosec bubble to listen to and understand underrepresented perspectives will help raise the bar for security in your organization.
Strategy 4: Measure Success
To give our customers peace of mind that our technology is built securely from the ground up we communicate by third-party validation. We've prioritized documenting our internal processes and work for audits to attain certifications for SOC2, ISO27001, PCI/ DSS, and more. Following months of hard work, I found we had great processes already in place for many security and compliance issues that we could clearly demonstrate and communicate to partners and other third parties.
For example, the NIST CSF is helpful with measurements around people, processes and technology. So, if I were to plan a phishing exercise rollout in January, and 30% of people "click the link," then I know I have training awareness shortfalls. That would give me solid data to launch training classes in security awareness with phishing. Two months is a decent reset before trying a new phishing exercise to see if that click rate is down significantly. I know this isn't an exact science, and it is very dependent on the phishing topic, but you get my point.
Bottom line: Investing in training your people and continuously building relationships outside of the security world provides a greater impact than any other investment a security organization can make.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Is Voting by Mobile App a Better Security Option or Just 'A Bad Idea'?"