How a Security-Minded Culture Can Change Bad Habits
Okta sponsored this podcast.
How to build a security-minded culture is the theme of the latest episode in our new series “Security @ Scale” on The New Stack Makers with Okta. The series explores security in modern environments with stories from the trenches including security horror stories and fantastic failures.
In this episode, co-hosts Alex Williams, founder and publisher of The New Stack, and Randall Degges, head of developer advocacy at security services provider Okta, discuss the challenges associated with building a security-minded culture, what works and what does not.
Featured guests of the show are Deidre Diamond, founder and CEO of CyberSN, a cybersecurity staffing firm, and founder of Secure Diversity, a diversity-oriented recruitment firm devoted to staffing solutions for people of all genders; and Victoria Mosby, federal sales engineer, for Lookout, a security solutions provider.
Mosby, who has worked for a number of security providers, noted how she has “so many horror stories I could tell you,” resulting from subpar security policy and culture.
“Some of the main things are we write massive policies, and no one follows them — but everyone wants a shortcut or a waiver,” said Mosby. “So, simplified policies are probably the easiest thing that we could do. And then just general security awareness: everyone wants their tools to do exactly what they want them to do, or they want the newfangled thing without any consideration about how security has to play into that, and then when security does get involved, we’re now the bad guys.”
At the root of the problem is how organizations that are recruiting team members for DevOps need to do a better job of communicating opportunities, especially in much-needed ways that promote diversity to include underrepresented groups, such as women in tech.
Sadly, many talented individuals remain unaware of opportunities while many critical positions in security remain unfulfilled. The talent gap in security teams also, of course, means that there are fewer people in place to protect networks and data.
Diamond noted how significantly understaffed teams can lead to high levels of burnout and other issues. “If there is no real succession planning going on because the budgets don’t exist, well, then how isn’t that a vulnerability in itself?” said Diamond. “And it blows my mind all the time to watch.”
Communication and outreach represent ways to foster change. To that end, the conference Day of Shecurity — for which both Mosby and Diamond play significant roles — and other conferences like it, can help to offset the all-too-common lack of diversity among security teams.
Day of Shecurity “is about spreading the word to women of any background 18 and older about all the jobs in cybersecurity,” said Diamond. “And so, in that way, we are spreading awareness around cybersecurity, which ultimately is what this all comes down to: is humans and all of us being super aware.