Building a successful security culture

When you think about any culture at all, whether you're just where you grew up, your town, your city, or maybe your family's culture, it's what you experience every day. It's the things that you do to fit in and that works for you and your community or your family in terms of behaviors, what's acceptable, what you eat, what you say, how you treat each other.

Security cultures within an organization, it's exactly the same thing just like how you would experience with your family or your community. It's the things that you do to enhance security at an organization.

So for example, if you walk in and you know that there's a security misconfiguration or there's a vulnerability that you know exists within your organization, a good security culture is going to say, okay. Bring that information in.

Share with us what you know, and they will not blame you for bringing that information to them. There's no shooting the messenger.

So in the case of great security culture at organizations, you wanna think of it that way. Are you being treated well when you're bringing in information for your security team? Or if you have knowledge that something about security is bad or wrong.

A good security culture is going to welcome that information from all parts of an organization, whether it be your business folks or your operations teams or your engineers or even amongst security professionals. Are you welcome? Are you okay? Are you loved to bring in that information to an organization?

So that's a great question. How do you build a security culture from the ground up? I will say my previous jobs, I've been the first and only security hire at small companies. Any company smaller than two hundred fifty employees is pretty small.

Anything smaller than fifty or a hundred now, I've worked at these companies. And at every single one of these, I was the first security hire. And I've built security teams, and I've also worked alone as the only security person. And the question is, how do you build a security culture?

Now here's the thing, if you are hired to do security at a small company, I guarantee you those companies care about security. In fact, you're not gonna meet anybody within the executive level or the board or any of the c level folks. You will hear none of them actually admit that they don't care about security. Every single one of those people are gonna say, yes.

We care about security, and they should. Security is a business problem that the business should own and solve. So when they hire somebody to do security, I can guarantee you that you've got some wind in your sails, some wind pushing you to get security done at that company. And that's what you want.

You actually want backing from the senior level folks at that company. So walking in day one, how do you build security? Trust that someone's got your back for you to be able to push that security agenda and build security culture at a company. But your question still remains, how do you actually do that?

Well one, trust the process. You've got the people behind you pushing you forward and giving you the okay and the green flag to go ahead and do security things. And then two, build trust within the organization. Understand how the business works.

What are the goals of the business? What are their major initiatives? Talk to people. Build relationships.

Have coffee chats with people. Get to know them and understand their needs and their wants and some of their problems when it comes to security. What are those big pain points that they have with security today? Security has always been happening without you even though you might have been the first security person hired at that company.

Trust me, there's security things happening already. Maybe it's not at the level that they should or maybe it's just really cumbersome or maybe it's just difficult to do and that's why they've hired you. So when you come into an organization to do security and perhaps you are building that security culture, understand the pain points of the business. Understand where security might be a roadblock.

Understand where you might be able to bring some of your experience and your expertise to help with those roadblocks and to help remove some of that pain for the organization to push forward and be awesome.

Hey. Anything that helps with communication, that's a hundred percent the thing that is always needed is communication, communication, communication, building trust, being transparent and open. So anything that can help a company share information.

What do we have? Slack, Teams, Jira, Confluence, all the Atlassian products, shout out Atlassian, all the things that can help with talking and communication and transparency, those are the things that help best build security culture because what you don't want as a security person is to start hiding things from the people that you work for and you work with.

That's the fastest way to erode trust. If you are trying to build trust, the best way is just to be open about things and be transparent, being this is what we're trying to do. What do you think? And getting their input on things.

Don't just drop security stuff and fly away. Don't act like a seagull. You fly overhead and then you drop the security thing and you fly away. Like, go to them.

Ask for their advice and for their feedback on certain things. There's a great example recently at contrast where we were our security champions and our engineers for feedback on our internal application security training program. What we had currently wasn't really working with our engineers. They didn't really find the need for it to their everyday jobs because the topics were just so basic.

What they needed were more contrast specific things that they needed to learn for their jobs. So we asked the engineers, what do you think would be good to learn for your yearly training, for your security training? And we heard from multiple people, multiple champions, multiple engineers across our engineering org what they thought might be good for them. And we take all that feedback back and we build out a security training program that fits their needs, And it's a win-win for everyone.

Security team knows that the engineers are following the security process because we're training them on the right things, and the engineers can feel confident in releasing secure software. And the more transparent you are, the better you communicate with engineers and people within the organization, the more security culture is gonna flourish, and the more you can get security activities done at the right amount and the right level that security needs to actually happen.

Not too much and not too little.

Yes.

Yes. Now if your tools do too much, people who are using them or trying to use them are really gonna have a hard time using that tool.

So when you bring in new tools for your engineers, for your organization, you really wanna understand the impact that it will have to their everyday. If it's difficult to use, if it's hard to understand, if they're not getting a ton of value out of it, they're probably not gonna use that tool as much as you want them to. And so that's where the problems start to happen, where you think security might be happening, but because that tool is hard to use or there's not a ton of obvious value coming out of that tool, chances are that tool is not gonna be used to the full extent that, you know, at least you've paid for. And it's disappointing all the way around where the vendor knows that they're trying to solve a need for you, but maybe it's just not the right fit at that time for your company.

So work with your vendors. Right? There's always gonna be something that a vendor can do to help you get that tool working for your organization.

Security culture, it's different at every organization. It's gonna be different throughout the day. But in the long run, a good way of measuring it is how much security is actually happening at your organization. And there are very, very easy ways of measuring that. Some things that you could say is how often are security vulnerabilities patched and fixed? How quickly can those things happen? How often do new security problems happen?

How quickly can things like security incidents and breaches, how quickly are those resolved?

And these are all very easily measured, and they're not just emotion based, but very, very data driven.

How many meetings have you been involved in? I love that one. That's, like, really good. So take a look at your calendar right now.

I love this. I could take a look at my calendar. How many times has engineering asked for our advice? Or how many times have they Slacked us asking for general guidance on things?

That's awesome. That's indicative of a strong security culture where security is seen as a resource, as a service, and that's always been the case where if we understand as security people that we are a service for the business, that we are not the cart leading the horse.

The business exists with or without security. We are there to help the business. That's when security culture flourishes.

Alright. Let's talk about security champions.

A lot of different companies are gonna do this a little bit differently, but the overall goal of a security champion is to have advocates for security sprinkled throughout a business. So we've got security champions within your finance team, your legal team, your operations team, your engineering, your marketing, all the different teams. The goal is to have security advocacy in places where a security team member might not always be. So think about meetings and Slack channels and documents, offline documents and people just commenting or just where conversations happen.

When a security thing is happening or a security question might come up, Are security discussions happening?

And that's where a security champion can come into play. Where a security champion understands the importance of security and understands the responsibility for everyone at an organization, but they can also speak pretty well and pretty accurately to the desires and wants of the security team themselves.

So think of things like security requirements, product security requirements, application security requirements. Here's a really basic one. You must scan your code for security vulnerabilities. Very basic.

So if a person on an engineering team says, let's push out this code without any security testing. Well, let's just push out this code. We need to put this patch in ASAP. A customer needs this today.

What a good security champion would do is, like, woah. Woah. Woah. Let's just wait one second.

Let's not forget that product security requires us to do scans of all our code. Of course, that's a very basic example. We've got a ton of built in scans for your development pipelines, your contrast. We offer that as a tool and solution for our customers.

Awesome stuff. But for the more complicated things, for the things that require more nuance or more complex conversation, that's when a security champion is gonna say, woah. Let's have a conversation with security. Maybe they have more insight.

And so now that security champion is helping bring along and give that visibility to the security team when they can come in with more advice and more guidance, more technical things and knowledge that the engineering team's gonna need. And that's true for all areas of the business where a security person can come in and give the insight to help move along that business initiative and help the business achieve its goals. So a good security champion, always wanted, always welcome. They are the eyes and ears of the security team.

And I know that sounds a little bit weird and creepy, but that's another way of building a great security culture at an organization where everybody within the company understands the importance of security and they understand their role within an organization to do security.

I would say yes. Absolutely. Security champions are a hundred percent necessary to build great security culture at organizations.

For example, if you know, as an engineer, let's say, that you need to ship something for a customer ASAP yesterday. This thing needs to be out the door, and you've done the coding, and you're finished with all the testing and everything else like that. What you want is somebody on the team, on your engineering team, advocating for security to happen before that all gets pushed out. So before the shipping, before releasing to production, before giving the thing to the customer, you want security activities happening, whether it be code scanning, secure code reviews, external validation, internal validation, all the things that security team members are absolutely advocating for amongst engineering teams.

What if you had somebody on the engineering team to advocate for you? Building security culture. Right? A hundred percent.

It's like the best thing ever. So what you have now are the eyes and ears of security within engineering teams and, honestly, within anywhere in an organization. So you've got marketing, sales, operations, legal, compliance, all the places. Now if you have somebody who deeply cares as much as a security person within that team, that's a hundred percent what security culture is all about.

It's building security awareness and culture within all areas of the business at the same level and intensity almost as somebody on a security team would bring. Somebody who cares as deeply as a security person for security things, you want that sprinkled throughout an organization. And good security champions are gonna do that for you. They are the eyes and ears of security teams.

I would say, like, the most important part, though, is is really understanding the role of security. Now I've been at places where security is absolutely the cart leading the horse, and it is painful because, you know, the engineers, the people in the room, they're like, oh, there goes security again, just telling us what to do and not really understanding what we want. They're just blah blah blah giving us all the security requirements and telling us all the security things that we have to do, but they're not understanding us. They're not understanding what the business needs.

And I can guarantee you once that starts happening, security culture is going boop, going downhill. And those business folks, those engineers, the marketing team, they're gonna do it without you. If things are happening within the business without a full understanding of security risk, then that's when security problems might happen. And when problems come up, it might catch the business off guard.

Wow. I didn't know we were susceptible to ransomware. I thought we had backups and that we were testing that stuff. Got involved with the security team in all aspects.

Otherwise, things happen when security risk isn't fully understood, and that's when the business suffers.

Now here's the thing about engineers.

They will listen to security people if they are confident that you're there to help them and not to stop them from doing things and, and here's the important part, that you could speak the same language of the engineers.

So as a security person, it is so incredibly important for you to understand how modern software is built in the year of our lord twenty twenty four, how it's built, how it's released, and how it's maintained. Those are the things. One, two, three. So if a security person can come in and they've had that software development experience, awesome.

They've had that DevOps experience, awesome. Be you're already gonna be able to speak to engineers at a level that they understand, and they're gonna respect you more if you could do that versus just throwing out terms that you've heard that software engineers understand better than you. And always remember as a security person, your engineers, your DevOps, all the people, software developers, they're gonna know their system way better than you ever will because they are hands on keyboard every single day writing the code, pushing the code, testing the code. They are the ones doing the work.

And if you can understand what their software is doing and understand the framework and the language and the tech stack, They will respect you more for it than if you were to come in and just throw them some things that you're telling them that they must do, like do a code scan of something using a tool. Well, help them set it up in their pipeline. Give them the guidance of how to implement this thing that you're asking them to do. And if you can give them examples or show them that it works in this other thing, so here you go.

Here's a great example of them doing it. Go ahead and, you know, see if you can copy that. That's the kind of thing that they're looking for. They want guidance and advice, but they don't need it at such a high level.

They want it at more of that technical level where they live and where they work. So if you can understand their day to day and how software is built and their jobs, they're absolutely gonna be right next to you working and building security into their products.

Alright. Like, security culture within operations teams where people in your SOC teams and security analysts and people looking at logs every day. How are you supposed to get them to talk to other people within the business? Well, we have an awesome tool, application detection and response that's really gonna help here where our operations folks are finally gonna be able to understand the applications that they're protecting, all that network, that log monitoring, the network monitoring, and the log analysis.

They're gonna finally understand where that network traffic is actually going, and and they're gonna understand how to talk to the applications teams and engineers over on this side. So farther down the stack, they can have those very, very technical conversations and just say, hey. We're seeing a ton of traffic coming into your application, and it looks like there might be a vulnerable endpoint or a vulnerability within your application. Oh, and by the way, contrast can actually block that stuff out of the box.

That's amazing. We bought you guys some time to go ahead and patch that thing. That's probably been out there for a while, and we can say and, like, security operations folks are gonna love this application detection response. They're gonna feel that they're really contributing and reducing risk to an organization which is why they exist in the first place.

It's like, hey, let's stop the bad guys from coming and doing bad things or knocking on our door every single day. Let's just make sure the house that we have standing up over here, let's just make sure that we're protecting it the right way and that we are focused on the right areas too. Where if an attacker is coming into the house and they're only hitting one side of the house, let's just make sure that part of the house is really really secure. It's got a lot more security controls and maybe another part of the house isn't as attacked or isn't as visible to malicious activity or to attackers out there.

They don't really care about it yet. So where the attacks are happening, that's where you should focus some of that energy, more energy there. Because think about your top three applications that are attacked. Think about your most attacked applications because if you know you've got three applications that are the majority of where all the malicious traffic is going to, it makes a lot of sense to tell the applications teams that exact thing.

Hey, you have three applications out there on the public Internet that are attacked more, ten times more, a hundred times more than any of our other applications combined. Maybe we should put more security controls on those. Maybe we should put more monitoring in place. Maybe we should care more about these three applications because those are the things that are being hit the most.

Where the attacks are happening, that's where the security should be happening to. And imagine the security operations teams and your SOC analyst teams to be able to have those conversations finally to give the application teams and the developers that insight that they've probably always wanted. Hey. What are our most attacked applications?

And what kind of attacks are we seeing? And what kind of vulnerabilities do you think are really out there for applications? Like, what are the things that the attackers are trying against their applications?

Interesting. Maybe I should focus some of my energy and attention on those things too and try to fix those things. I think those conversations are gonna be awesome.

Sometimes, yes. If you think about this, there can be too much security. So finding that balance and understanding the need for security at the exact amount that doesn't override what the business needs and what's the business trying to do, that's very important. You don't wanna have someone who's just way too into security things, and they're just all really hardcore about it.

That's what you don't want. You want somebody who understands balance and someone who can balance business risk with security risk. And if you can say I can find that middle ground that says, hey, we can ship this thing for the business. The business needs something and at the same time minimizing the risk to the business, that's what you want.

A good security champion is gonna be able to walk that line. And they understand that security is always about risk management. Security is always about balance. If you have a thing for the business, there might be some risk involved.

But if you have too much security, there's not gonna be a ton of business things happening. So it's always that balance where you have business objectives doing business things, understanding where security might need to happen also.

So security at Contrast, it's just a given. So not only are we selling security products, we do security internally too, and we better do it well. And that's true for all areas of the business, whether it be marketing or sales or operations, legal compliance, and everything in between. Everyone knows security is our responsibility and it really shows. There's a ton of evidence that I could see right here on Slack where all the conversations are happening, all the security questions and answers and people helping out our customers and even internal processes where we know we can do better. All the things that we know that we must do because we want to practice what we preach. Not only doing security internally but helping our customers do security better too.

So how do we build a security culture at Contrast? Another great question.

It's something that is just part of the organization. We are a security company. We wanna practice what we preach. Not only do our developers understand the importance of security, they understand the responsibility as well. So everyone within our organization already kinda comes into contrast understanding their role in securing the organization Because and you've heard this.

Security is everyone's responsibility.

So if you're walking in and you're thinking, hey. How am I supposed to build a security culture at a company?

Think about it this way. If everyone knows security is their responsibility, that culture is gonna be there on day one. How do we enhance security culture at Contrast?

Well, it's a day to day thing. You have to win over the hearts and minds of the people that you work with. You have to build trust. You have to build relationships.

And by doing that, you're showing them that you are a service for them. Security is there to help them achieve their goals and their business objectives, not the other way around. We're not trying to be an impediment. We're not trying to be a blocker for them. If they see us as helpers, they are going to automatically pull you into decisions, into meetings, into places where you can give insight as a security professional to help them achieve their goals. And so, therefore, you're building security cooperation, another word for security culture. How much cooperation are you getting for security matters at an organization?

And one of the things that I love as a personal metric is to see how many meetings we've been invited to and how many Slack channels and conversations just off the cuff where we're asked to be advisors and guides instead of just a roadblock or a checkbox or a compliance thing that people need to follow. How often are we wanted? How often are we desired to have a voice?

And that's how we know that security culture is doing great here at Contrast.