Partner Across Teams to Create a Cybersecurity Culture
One of the first things you learn about cybersecurity is that you have to understand your attack surface. If you’re securing an application, this means looking at places where a malicious actor might be able to gain unauthorized access or manipulate data to attack your application. Suppose you have the responsibility to protect an entire organization from cyberattacks. In that case, the attack surface is larger and more expansive than your organization could reasonably expect even the most competent and well-organized security expert to cover alone.
Your corporate attack surface includes people and machines. Keeping your systems and devices safe can be challenging, but people are an entirely different challenge. In this article, we’re going to talk about how to partner with others in your organization to help transform your people into a well-trained cybersecurity unit that keeps your critical systems safe.
Step 1: Start at the Top for Leadership Buy-In
A successful cybersecurity initiative needs buy-in from the leaders of your company. Given the prevalence and acceleration of data breaches, your leadership is likely already aware of the problem. The value proposition you’re bringing to them is to increase awareness of security best practices, educate employees throughout your company, and make them your first line of counterattack against potential threats.
One of the most effective strategies that hackers have is to compromise a legitimate user’s account using social engineering tactics, such as sending them phishing emails, or scouring their social media accounts to guess answers to their security questions. Ensure that you are prepared to discuss the risks associated with a data breach and present your leadership team with a comprehensive plan that addresses the most common human vulnerabilities.
Step 2: Engage Human Resources to Support Training
Once you’ve secured the leadership team’s support, the next partnership you’ll want to establish is with the Human Resources (HR) team. Work with HR to develop a comprehensive set of policies covering appropriate corporate device usage, password requirements, and general security training. You’ll want to create a plan to train existing employees and make security training a mandatory component of employee onboarding.
For password requirements, you want to strike a careful balance between usability and requiring enough complexity. Ensure that each user’s password is complex enough to make it as difficult as possible to guess, while also ensuring that it’s not so complicated that employees resort to putting their password on a Post-It™ note on the underside of their keyboards. You should also develop policies that prevent account and password sharing, ensure that employees receive enough access to complete their assignments, avoid giving too much access, and alter access when employees change roles or leave the organization.
Step 3: Regular and Creative Training for Everyone
We’ve all gotten policy-related emails and sat through compulsory corporate training meetings that we would rather have avoided. Given the importance of cybersecurity, you want to partner with the training resources in your HR department and try to find creative ways to engage employees with security training.
Make the training interactive and use real examples of phishing emails that you dissect to help employees spot warning signs, such as spelling and grammatical errors, unknown sources, and unexpected requests for information. Competitions, rewards, and positive reinforcement, along with clear descriptions of the risks, will help improve the impact of the training. Make sure that you teach what to do if someone receives a suspicious email, and make sure that those steps are accessible on the corporate intranet or even on a handy sticker or magnet for each employee.
Step 4: Deputize Your Software Engineering Resources
Just because a software engineer doesn’t work on the security team doesn’t mean that security isn’t their responsibility. In addition to the standard security training, you can further empower your engineering teams by training and encouraging them to think like hackers. I was fortunate enough to work for a company some time ago that scheduled annual competitions with prizes and bragging rights. These competitions served as security training and engaged us in a series of engineering puzzles that included SQL injection, cross-site scripting (XSS), cryptography and social engineering.
You can instill a culture of security awareness within your development teams through well-planned training, recognition, and competition. This approach keeps your organization safer, improves the quality of the teams’ code, and reduces the risk that security vulnerabilities will make it to a production environment.
Step 5: Focus Security Team on What Matters Most
Even with well-implemented training programs and a dedicated cadre of security-minded engineers building your applications, there is still plenty for your security engineers to work on. The shared-responsibility model will reduce the risk of successful phishing attacks or other malicious activity, but it won’t remove it entirely. Ideally, security teams will move from a place where they are constantly fighting fires to one where they can engage in strategic initiatives to further improve security for the organization, automate risk detection wherever possible, and prepare your organization for the future.