October is National Cyber Security Awareness Month (NCSAM) and to address this week’s theme of “Cybersecurity in the Workplace is Everyone’s Business” our Whiteboard Wednesday this month features Bo Kim, head of information security at Imperva.
When it comes to building a security program, focusing only on technology and processes puts organizations in a weak and unbalanced position. People need to be equally factored in—and that’s where culture comes in. Listen as Bo talks about the importance of a strong security culture and walks through four essential components needed to build one.
How to Build a Security Culture – Video Transcription
Hello everyone, and welcome to today’s Whiteboard Wednesday. My name is Bo Kim, I’m the Senior Director of Information Security here at Imperva, and for today’s topic, we’re going to be discussing the importance of a strong security culture and four essential components needed to build one.
Why You Need a Strong Security Culture
To begin, let’s talk about the reason why we need a strong security culture. As with any other major business objective or initiative, when we are trying to build a strong security program within our organization we need to focus on three major components—and that’s going to be the infamous people, technology and processes triangle.
People, Technology and Processes
A lot of times unfortunately, we find ourselves as security professionals focusing a lot more on the technology and processes side which puts us at an unbalanced and weak position. Today we’re going to be talking about what we can do to focus more on the people aspect, and in this context we’re really talking about company culture.
Company culture is basically the beliefs and resulting behaviors of the organization. So, in an organization that has a strong security culture, employees have a clear understanding of what’s right versus wrong, the type of activity that they should report on in terms of being suspicious and who and how to contact the right team.
People Are a Major Attack Vector
People are a major attack vector. The 2017 Verizon DBIR showed that 43% percent of all breaches they covered started with some kind of social attack. If we continue to position ourselves in a weak position, focus purely on technology and processes, we’re essentially leaving ourselves vulnerable to an attack vector that accounts for nearly half of all current-day breaches.
“Someone else’s responsibility”
And then finally, in a company that doesn’t have a strong security culture, security becomes someone else’s responsibility and the whole point of a strong security culture is to have that shared sense of ownership, so we know that “someone else’s responsibility” is definitely not where we want to be.
Four Essential Components for Building a Security Culture
First and foremost, the biggest impact you can make on your company’s security culture is to start at the top and get your leadership support and buy in.
#1: Leadership Support and Buy In
Company culture is absolutely defined from the top leadership down throughout the organization. And just like any other business unit, we as security professionals need to do a good job and clearly communicate where we are in terms of our current company security posture and our upcoming security initiatives.
This can obviously be done through frequent reporting. However, don’t just stick to some of the low-level security metrics. Be able to tie it in to some larger level initiative that aligns with your company’s objectives or clearly states or represents a true risk to the company.
So, for example, here at Imperva, we start with a high-level security domain dashboard, where we’ve broken out our security program into the major security domains that we feel define it. And then we score it from a scale of zero to five, which essentially is an adoption of the enterprise maturity model. Each of those scores are then represented or reinforced through supporting metrics and KPIs, so that we know where we need to go.
Some of the domains that we report on for example are effective security awareness training with a supporting metric of failed phishing awareness attempts. Another example would be our defensive posture against account takeover. And with a supporting metric of percentage of systems behind multi-factor authentication.
Establish Department/Team Champions
Once you have that leadership buy in and support, make sure you start to move further south into the organization and establish department team champions. These are basically going to be the local teams—local departments and leaders of those departments—that can help provide that feedback once you’re rolling out new security initiatives.
#2: Security Awareness Training
The second component is going to be effective security awareness training. Simply put, you can’t have a strong security culture without your employees clearly understanding what’s right versus wrong, what it is that you’re trying to actually protect—so your data classification—and also how to report suspicious activity and to what team.
Tiered Approach Based on Risk Exposure and Role
One way you can build your security awareness training program is to approach it from a tiered, or targeted approach. And so, as you can see in this [diagram], as we go up the triangle, risk goes up, but the exposure, the amount of roles within the company, decreases. So, at the bottom level, where the triangle is the widest, we start with your general security awareness training. An example of an element of this training would be your data classification. Again, everyone needs to know what you’re trying to protect.
To take that example one step further, if you were a software company, source code is probably going to be pretty high on that list. As you move up though, the people that actually have access to that source code are at that intermediate level, so they need a little bit more targeted training. And then finally, the people that are the administrators, the ones who actually administer your source code repositories, are going to have that in depth training, because as we go up again, the risk goes up. And then finally, you want to continuously adjust to improve. If there are any new risks or roles or business units created within your organization, you want to re-assess to ensure that [the training] is current and that you’re covering all roles within the organization.
#3: Test Security Posture
The third component is going to be to actively test your security posture. You can’t just simply rely on your passive security awareness training. Now one way you can do this is through social engineering campaigns or in other words, internal phishing campaigns. And what this does is it gives your employees the ability to test their knowledge on how to detect suspicious activity and then also how to report it to the right team. One of the key differentiators here and biggest impacts you can make though, with this component, is your remediation. Instead of punishing, your team should take the opportunity to educate the employee further. So, for example, if there was a failed phishing attempt, for the employee that was affected, your team should approach them and let them know essentially what assets within the organization could have been breached or what path the malware could have taken.
#4: Continuous Communication
The fourth component is going to be continuous communications. The bottom line here is transparency is key. Your team needs to be approachable. The channels that you’ve set aside for your employees to contact your security team, when used, need to be responded to very quickly. Your employees need to understand that you take their reports very seriously and it helps build that shared sense of security ownership. Also, regardless of whether it’s an incident—an actual incident or a false positive—reward their behavior, so again, you’re building that shared sense of security ownership.
Share Improvements with Employees
And then finally, similar to what we were doing with the leadership reports, feel free to distribute internal reports that show the current posture of the company and then also reinforce some of the new initiatives that you’re deploying within your organization. So, if you have a new security awareness training initiative or campaign, then show the improvements quarter over quarter to your employees so that they understand that their efforts are part of a larger initiative.
Thank you for joining today’s Whiteboard Wednesday. I hope the topic that we discussed today helps you build a stronger security culture within your organization. We look forward to you joining us in future sessions.