Creating an Inclusive Cybersecurity Culture
By Robert Wood via accelerationeconomy.com
How CISOs and CIOs Can Create an Inclusive Cybersecurity Business Culture
Security cannot succeed unless we work with and through other teams. This fact is especially true in the application security space. Security teams need to find creative ways of engaging development teams for a variety of reasons in conversation and partnership. Security teams are not patching servers. They aren’t updating libraries. They aren’t fixing the pentest findings. Security teams need to be able to accomplish their work by convincing other teams at times that a security issue should be fixed over another feature.
This article will touch on several ways that security teams can engage in developer outreach. It’s not recommended to jump in and start doing all these things right away; start small, experiment, adapt, and grow.
Using Competition to Attract the Developer Community
People love games. There are a lot of fun ways to create friendly competition between teams while simultaneously fostering security awareness and building relationships. Hosting a security-themed hackathon is a lot of work but can be very appealing to the developer community.
Some training platforms have begun to release gamified challenges related to secure coding or related topics. Sometimes these are a hit, sometimes they’re a total flop. It’s good to experiment and take a human-centered design approach. The big thing in a competitive sense is to try to make it fun. If people are having fun, they will come back for more.
Security Champion Programs
Security champion programs have been happening for a number of years now. As such, there is a good body of work on how to begin such a program and, more importantly, how to sustain and grow it. I believe that one of the most important elements of any security champion program is the ongoing engagement and growth paths provided to its volunteers. If people don’t have time properly carved out, incentives properly aligned, and actual engagement with the security team, then the program will almost certainly die out and will likely be counterproductive.
Run well, though, and a champion program can be a powerful means of scaling developer engagement across an organization.
Call Outs and Positive Affirmation
Most people appreciate being recognized for the good work they’re doing; positive affirmation works in relationships and it works in organizational dynamics. If you’re on the security team and you recognize a particular developer or a team that is doing things that you would be thrilled to see everyone doing, make sure you recognize it. This could include proactively seeking out bugs and fixing them, setting up more security tools and actively using them, engaging with the team on threat models, or any number of other activities.
There are a lot of ways that security teams can recognize others. Below are a few that I’ve personally used to great effect:
- Notable mentions at large meetings, such as all hands or in newsletters
- Passing around a physical trophy of sorts to create a fun kind of competition (a shield, engraved trophy, big hat, etc.). This one worked better pre-Covid when there was more of an emphasis on in-office culture, but there are plenty of virtual ways to recognize people in a similar way.
- Handing out challenge coins or gift cards
- T-shirts or other kinds of swag that can be displayed by the recipient
1. Identify and protect your organization’s digital “crown jewels.”
- Awareness is the first step in creating a culture of cybersecurity.
- Increased awareness can reduce the risk of a cyber attack by 45%- 75%.
- Identify your most valuable assets, inform your workforce, and take the necessary steps to protect them.
2. Be able to detect incidents and have a plan for responding.
- Changing behavior is the second step in creating a culture of cyber security.
- Human behavior is involved in over 95% of cybersecurity breaches.
- Developing smart behaviors to detect attempts by hackers and implementing the response plan.
3. Make cybersecurity training regular, accessible, and fun.
- SecureABC offers relevant, engaging content through our gamification training. Managed and delivered throughout the year, not just 1x annually.
- Our vast library of content contains over 500 micro-learning, compliance-specific, and gamification modules. We provide posters, newsletters, and security “hints & tips” to reinforce your awareness, behavior, and culture of security.
Source: Secure ABC
Security teams need other teams. We can’t function through policy and mandates, not well anyways. To operate effectively, security teams need to engage and build relationships with other teams and leaders. The three areas above are really just a starting point to get ideas going on how to begin this outreach. The most important thing, in my experience, is to be intentional and consistent.
To read more related articles, click here
What is Cybersecurity Culture
A culture of cybersecurity is a pattern of behaviors, beliefs, assumptions, attitudes, and a willingness to do things that promote security. Cultural change is needed to implement and cultivate a newly developed security culture within your organization. Here are three steps you can take to start.
How CISOs and CIOs Can create cyber culture?
Security Champion Program and the benefits?
Cybersecurity Culture, what is really?
Creating an Inclusive Cybersecurity Culture
Creating an Inclusive Cybersecurity Business Culture