What is a culture of security? Can you impose one? Does it evolve? What are the elements that make it stick?
As leaders at Veracode, where security is job #1, we challenge ourselves with these questions. We represent two different functional perspectives: the human-resources lead and the engineering lead. We both come from companies deeply rooted in security, whether we're talking products or services (or both). Together, we have learned that multiple cultural and technical factors work together to create a culture of security. We plan to share more about these factors and how they impact our organization and corporate security posture, and this blog post focuses on a fundamental prerequisite: building an understanding of thewhy.
Most employees want to do the right thing. However, it is hard to comply with corporate policies and procedures without understanding why they exist. This is particularly true for security policies and procedures, which may impose additional process steps and slow progress as a result. Rules about password restrictions, clean desks, laptop lock screens, badges, and more are often a part of an IT security policy. The rules are necessary, but employees still view them as inconvenient because they don't address the why — what a company has to lose or gain if they aren't followed. For the rules to stick, we must show both sides of the coin. Once this is understood, employees do the right thing because they understand the consequences of not doing so.
Here's how Jeff Horan, a Veracode employee who is passionate about the subject, recently captured the why for Veracode:
Customers trust us with their data. It is up to us to preserve that trust.
According to renowned security expert Bruce Schneier, "Security exists to facilitate trust. Trust is the goal, and security is how we enable it."
Why is security so important? It takes a company years to build up trust; it takes only suspicion, not proof, to destroy it. This is why security is job #1.
When you work for a company that provides security products or services, the stakes for not doing the right thing are clear to all employees. They understand the why. It becomes a matter of philosophy — how we need to operate to make the company successful — versus enforcement of corporate policy.
Our company's security philosophy evolved from the firm's founders and has been maintained through grassroots efforts, agreement on its importance and peer enforcement. It is not unusual to have an employee question a stray visitor in the facility or point out when confidential information is shared inappropriately. A strong culture of security becomes self-propagating — and self-policing.
Clear and consistent messaging about the why is the cornerstone of a successful security culture.