Infosec leaders hope to instill a culture of cybersecurity in their organizations. But an expert says action speaks louder than words.
“Culture ultimately reflects what you do,” says Merritt Baer, a principal in the office of the CISO at Amazon’s AWS service. “You get a culture of security by doing it.”
She was interviewed recently after coming to Quebec City for the Semaine numeriQC conference, where she spoke on “Building a Culture of Cybersecurity.”
Security has to be central to the value proposition that IT and security leaders deliver to their stakeholders and users, she said. And the only way to do to that is to weave security into core business delivery.
For example, she said, after Amazon trained 2,000 of its developers in cybersecurity techniques, there were 22 per cent fewer medium and high severity vulnerabilities in code than before — and it took less time to do security code reviews.
“We found it reduced all the friction from our application security process so significantly we were saving a significant amount of time in the development cycle,” she said. “So it comes back to not just doing security for security’s sake, but for the benefits that come to the core delivery”
“Good intentions are not enough. You can’t say you want a culture of security. You have to go do it and you have to invest in the day-to-day operations and the business priorities that allow security to be a top priority.”
“The whole point is to make the secure thing the easy thing to do” for employees, through automating IT procedures.
The reason infosec leaders say they can’t get that done is they haven’t necessarily been able to demonstrate that value proposition of how security can be part of everything they deliver, she said.
Pointing to “scary headlines” will only go so far, she added. “There’s no doubt that most folks [in all organizations] believe that security matters,” she said. “I think the question is how do you do it in a way that doesn’t burden the business.”
Building a security culture needs executive sponsorship, she said. Amazon has what she called “forced blameless escalation”: If something goes wrong and isn’t fixed, that can be reported up the management chain. Senior leadership “knows they have to answer the phone for security. That’s a values-based system. We have decided we’re going to make security something everybody has to care about.”
The biggest obstacle to building a cybersecurity culture is “a misperception of risk. Folks will be hesitant to move to the cloud or adjust their manual approaches to security because they don’t observe the risks of staying in place. So I think the obstacle is, ‘This is how we’ve always done it.’”
To build a culture of security, IT and security teams need to do things like adopt agile application development methodologies and think of the ways to do infrastructure as code or make encryption a policy requirement, she said.
“Being risk-adverse and being the traditional shop of, ‘No,’ … is what gets in the way.”