I recently talked with a CISO friend of mine who was struggling to scale his security team. He has fewer than 10 security people on his team to support an organization with over 500 developers and 2000 employees. Responding to all of the requests which include: development best practices, legal and compliance, security awareness, IT security, trying to organize his team to perform the scanning, testing, reviews and more left him under water and stressed out!
After talking for a bit, it was clear that the security team was spending time doing things that they could delegate, train, or deputize off of the team. I told my friend, “You don’t have to struggle with your 10 person team, you can enlist every developer to help and have a team of 500.”
The most secure organizations in the world develop a deep sense of security culture and training. Every person, from sales, to support, to development, test, and PM care deeply about the security of the product and are supported through the training they need to achieve those goals. They understand that security is not just important to the product, but it is a cornerstone of the trust you build with your customers.
With this in mind, I explained how to get from the frenzied and overwhelmed place he was in, to a place of security support and enablement that will allow the security team to tackle important security goals that will improve the security maturity of the organization.
The goal is to create an upside down pyramid of security knowledge. At the top we have every employee at the organization, with the security team at the bottom. We want to enable every person to make the best security decision they can and create lines of communication and support throughout so each person knows who to reach out to when they need help. This means giving each person from the top down more training and enablement to solve security problems. This enables the team to move quickly and means that the security decision is made by the person closest to the issue. The security team then acts as the backstop for any security challenges that slip through.
This end state allows each person to feel confident to raise their hand and ask about the security, safety, or privacy of a component or feature. Starting a conversation about security simply by asking a question like “Is this considered sensitive data, and if so, what are we going to protect it?” Or “what is the security impact of exposing this API to the internet?” The asker doesn’t need to understand about CSRF tokens for APIs, or JSON injection, or the latest attacks, they just need to feel comfortable to raise the question and be part of the discussion.
How do we get there?
There are two components that must go hand in hand to get to this state: Training and Culture.
Training gives each person the seed of knowledge to know when to speak up. Culture gives them the confidence to do it, the trust their contribution will be considered, and that they won’t be intimidated by others for speaking up.
Security culture is launched and directed from the top of the organization, but if it is not supported by proper resource allocation: both time and money; an inspirational speech from the CEO about how security is a top priority can quickly sow resentment. Therefore launching a company wide program needs buy-in from every member of senior leadership, the CEO to set direction and Sales, Marketing, Finance and Engineering to agree and support.
Culture is supported by trust. If the employees trust that they will be supported to spend the time and budget to make good security decisions, then they will believe in the cultural shift. If they see that the company is only paying lip service to security, then that trust may be irrecoverably lost. For this reason, it is critical to create a roll-out plan with documentation and Q&A before trying to start the program. This will give you a framework to fall back on when there are questions about time and budget for each member of the team. Being inconsistent with requests is another way that trust can be lost.
Training should be required at every level of the organization, with concentrations around critical areas. Every employee should receive training for security awareness to help understand how to protect themselves and the organization against cyber threats. Every employee should also be supported by the organization with best in class tools like password managers, 2FA solutions, anti-malware, etc.
Every member of the development team should receive at least a baseline of security training. This training should be engaging, up to date and focused on their area of focus. The security industry changes quickly, so staying up to date is critical. If a training module hasn’t been updated in more than a year the content may have already fallen out of date. Wasting people’s time with irrelevant or out of date training can erode their trust in the program.
Each team should have one security champion who has an aptitude and passion for security. This might be a security person placed on the team, but ideally it’s somebody already on the team who has the relationships and knowledge of the code who demonstrates a desire to lead the security program for the team. This person resides on the development team and work closely with the developers, testers, and PMs. They will build and maintain threat models and perform security code reviews, penetration tests, and architecture reviews as necessary. Training and guidance should be made available to these security champions that helps push them forward in their security career. They should be supported by the organization to attend and participate in security conferences and have access to tooling and automation that could be a force-multiplier for their efforts. Ultimately this person may “graduate” to lead larger security teams as the security needs of the organization grows or they may move to the internal security team.
Finally, the security team should lead training effort by keeping up on all the leading attacks, exploits, and defenses. Some of this knowledge can be gained through existing security training, but much of it will be developed through conference training courses and internal research and development. Some of the security solutions will not work for your organization or at the scale you need them to. The security team should use its time and R&D efforts to deeply understand the unique challenges your organization faces and come up with solutions that solve the issues in unique and tailored ways.
Enlisting every employee of the company might seem like a tall order, and it is true the this won’t happen over night. However, security is fun and exciting. If you can get the budget and support from the necessary teams to enact your vision of company-wide security culture I am certain there will be a waiting list of people clamoring to become part of your new security army.