Successful security programs start by articulating the why, because employees take ownership of security when they understand why it is critical to their business. A key next step translates security principles into pragmatic business practices. These practices vary by function and the work at hand. For example, what does "least privilege" mean to an operations employee? What does "confidentiality" mean to an HR employee? What does "data integrity" mean to a marketer? Some of these initiatives can get lost in translation, resulting in greater confusion and potential annoyance at having to adopt new practices.
Empower employees across departments and job functions to answer these questions and embrace the related concepts. They know their systems and processes. They are accountable for implementing secure practices, and for reminding each other when corrections are needed. If you are leading a security initiative, play the role of coach by guiding security discussions, proposing best practices and providing IT and systems support.
Here are a few examples of how Veracode takes this pragmatic approach to implementing security programs:
The Marketing department is motivated to present Veracode's brand and content in fresh, appealing formats. How better than to embed stylish new plug-ins for a website or blogging platform such as WordPress or Drupal? And with basic security training, the team understands third-party risk, i.e. how vulnerabilities in embedded plug-ins could expose confidential data. With this awareness, the team has implemented a review and approval process with Security prior to using any new plug-in, product or technology. This constraint has an impact — it slows down the team's adoption of new initiatives — but Marketing has learned to plan ahead and schedule the appropriate time into projects.
Veracode's Operations team configures scans and reviews results for quality. Team members have access to sensitive data, such as log-in credentials for web-application scans, and work to define processes that include security best practices. For example, sensitive data is always stored on a restricted file system and is never communicated over email or within shared systems. When Veracode adds new scan services, the Operations team takes ownership for building security into the new workflow.
The Human Resources team protects employee privacy at all times. This extends beyond workplace concerns to personal confidentiality, like not sharing employee information, even an address, without that employee's permission. Confidentiality regarding all personal information is built into all HR systems and practices.
Other departments, such as Sales, Services, Support, Engineering and IT, work with additional systems and processes. They make decisions every day that keep their work secure. In a successful security program, these teams are supported by Security and empowered to find practical ways to implement security principles. This approach makes every employee accountable, ensures processes are practical and supports the evolution of practices over time, ultimately allowing everyone to speak the same language.
Photo Source: Flickr