Take a stroll to the Information Security department and you'll hear about the latest blunder an employee made that resulted in lost data. Security is widespread and mainstream, but security culture has not kept pace with the threat landscape. Security culture is what happens with security when people are left to their own devices. Do they make the right choices when faced with whether to click on a link? Do they know the steps that must be performed to ensure that a new product or offering is secure prior to ship?

It is not something that grows in a positive way organically. You must invest in a security culture. A sustainable security culture is bigger than just a single event. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever.

A sustainable security culture has four defining features. First, it is deliberate and disruptive. The primary goal of a security culture is to foster change and better security, so it must be disruptive to the organization and deliberate with a set of actions to foster the change. Second, it is engaging and fun. People want to participate in a security culture that is enjoyable and a challenge.

Third, it is rewarding.

What kind of security culture do you have?

For people to invest their time and effort, they need to understand what they will get in return. Fourth, it provides a return on investment. The reason anyone does security is to improve an offering and lower vulnerabilities; we must return a multiple of the effort invested. A strong security culture not only interacts with the day-to-day procedures, but also defines how security influences the things that your organization provides to others.

There was a problem providing the content you requested

Those offerings may be products, services, or solutions, but they must have security applied to all parts and pieces. A sustainable security culture is persistent. Why does an organization need a security culture? The primary answer is something that deep down we all know. In any system, humans are always the weakest leak. Security culture is primarily for the humans, not for the computers. The computers do exactly what we tell them to do.

The challenge is with the humans , who click on things they receive in email and believe what anyone tells them. The humans need a framework to understand what the right thing is for security. In general, humans within your organization want to do the right thing — they just need to be taught. Luckily, wherever an organization sits on the security culture spectrum, there are things that can be done to make the culture better. Many organizations have the opinion that the security department is responsible for security.

Sustainable security culture requires that everyone in the organization is all in.


  • Ser feliz depende de ti (Spanish Edition).
  • Security Awareness?
  • Wild Honey and Blue Aloes: Stories of South Africa;
  • Product description?
  • Security Awareness.

Everyone must feel like a security person. This is security culture for everyone. Security belongs to everyone, from the executive staff to the lobby ambassadors. By creating programs catered to region, department, and role, our people understand that security is part of their story and our culture. People look to these things to understand what they should focus on. Update your vision or organizational objective to clearly articulate that security is non-negotiable.

Speak about the importance of security from the highest levels.

6 ways to develop a security culture from top to bottom

This does not mean just the people who have security in their title CISO, CSO , but also from other C-level execs all the way down to individual managers. Security awareness is the process of teaching your entire team the basic lessons about security. Security awareness has gotten a bad rap because of the mechanisms used to deliver it. Posters and in-person reviews can be boring, but they do not have to be. Add some creativity into your awareness efforts. On top of general awareness is a need for application security knowledge. Application security awareness is for the developers and testers within the organization.

In your organization, they may sit within IT, or they may be the engineering function.

New Course: End User Security Awareness

AppSec awareness is teaching the more advanced lessons that staff need to know to build secure products and services. Awareness is an ongoing activity, so never pass up a good crisis. Bad things are going to happen to your organization, and many times they will be tied directly to a security problem. Grow your security culture with these teachable moments. Do not try to hide them under the rug, but instead use them as an example for how the team can get better. Accountability before awareness is crazy. People want to do the right thing, so show them through an awareness program and then hold them accountable for the decisions they make after gaining the knowledge.

Secure development lifecycle SDL is foundational to sustainable security culture. An SDL is the process and activities that your organization agrees to perform for each software or system release. It includes things like security requirements, threat modeling, and security testing activities. SDL answers the how for your security culture. It is sustainable security culture in action. Customers across industries are starting to demand the crazy idea that organizations have an SDL and follow it. The lineage of many industry SDL programs traces back to the Microsoft program.

A reasonable place for the SDL to live is within a product security office. If you do not have a product security office, think seriously about investing in one. This office sits within engineering and provides central resources to deploy the pieces of your security culture. While we do not want the entire organization to farm off security to the product security office, think of this office as a consultancy to teach engineering about the depths of security.

Look for opportunities to celebrate success. When someone goes through the mandatory security awareness program and completes it successfully, give them a high-five or something more substantial. They also will be quick to tell five co-workers they received cash for learning, and those five will jump into the training quickly. The other side of reward is security advancement.

Make security a career choice within your organization. Put your money where your mouth is. If you say security is important, prove it by providing growth potential for those with a passion for security.

A final step is to provide an opportunity to earn an advanced degree in security. Many universities now offer a master's degree in cybersecurity. In my previous job, I worked with a large university in California to tailor a degree program that supported the company's security culture.

6 ways to develop a security culture in your organization

Once again, put your money where your mouth is and sponsor the first group of students. It sends a positive message to the entire organization. Security community is the backbone of sustainable security culture. Community provides the connections between people across the organization. Security community assists in bringing everyone together against the common problem, and eliminates an "us versus them" mentality.

Security community is achieved by understanding the different security interest levels within the organization: Security advocates are those people with a down-home passion for making things secure. These are the leaders within your community. The security aware are not as passionate but realize they need to contribute to making security better.

The sponsors are those from management who help to shape the security direction. That means an attacker can redirect users to a malicious website of their choice even if the victims entered in the correct website name. To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and implement virus database updates, along with security upgrades issued by a trusted Internet Service Provider ISP , on a regular basis.

While some phishers no longer bait their victims, others have specialized their attack emails according to an individual company or service. Take Dropbox, for example. Millions of people use Dropbox every day to back up, access and share their files.

Building a healthy security culture

One attack campaign , for example, tried to lure users into entering their login credentials on a fake Dropbox sign-in page hosted on Dropbox itself. To protect against Dropbox phishing attacks, users should consider implementing two-step verification 2SV on their accounts. For a step-by-step guide on how to activate this additional layer of security, please click here.

Product details

Fraudsters could choose to target Google Drive similar to the way they might prey upon Dropbox users. Specifically, as Google Drive supports documents, spreadsheets, presentations, photos and even entire websites, phishers can abuse the service to create a web page that mimics the Google account log-in screen and harvests user credentials.

A group of attackers did just that back in July of To add insult to injury, not only did Google unknowingly host that fake login page, but a Google SSL certificate also protected the page with a secure connection. Once again, users should consider implementing 2SV to protect themselves against this type of threat.