By now, you know implementing any office-wide change can be a challenge. More importantly, you know it's totally possible if you commit — and the results are more than worth the effort.
But what does a security-focused workplace look like? What does it do? Here are three growing trends among successfully security-minded workplaces, along with three areas less-successful offices could stand to improve on:
A Successful Culture of Security:
1. Understands the Value of Coaching...
Mistakes happen. Someone can completely buy into the changes you implement and still make an error (or series of errors, if it's a conceptual thing). The trick to combating these errors? Not just coaching, but effective coaching.
Of course, determining what's effective largely comes down to the employee and situation at hand. Being direct is something most developers and engineers appreciate: telling them what's up, what went wrong and how they can fix it, all without putting too much spin on the issue. As long as you stay constructive and approach the chat as a learning opportunity, everyone involved should benefit in the long run.
2. ...And Makes Sure Employees Do, Too
Everyone takes criticism differently. It may not be on the level of, say, painting or sculpting, but developing software is creative work — and that means some employees will be personally invested. That can make coaching a very tricky process if you don't tread carefully.
The big thing here is managing perception. As TechRepublic puts it, you want to be clear the session isn't a personal attack, possibly by asking the employee to repeat what they're hearing back to you. You can also consider giving feedback in smaller chunks, thus giving them more time to process what they've heard.
3. Consciously Focuses on Security
Application security is not just a stop on a road map. It's a concept that needs to be factored into every line of code — and every decision behind those lines of code. Building a culture of security means putting security at the forefront; maintaining that culture means keeping it there.
As with any learned skill, the only way to get there is practice. Over time, security will become an automatic consideration, something that naturally pops up in conversations and decision-making processes on its own. Once that happens, you'll know you're on the right path.
A Less-Successful Culture of Security:
1. Takes a (Primarily) Reactive Approach
Sure, you have to deal with security issues as they arise. But making that the brunt of your security efforts is a surefire way to encounter totally avoidable problems.
Think of a software product as a car. A successful culture does all the proper maintenance: changing oil, checking tire pressure, et cetera. Exclusively reacting to problems as they come is like driving the poor thing until it throws a rod, then shaking your head when you're forced to replace yet another engine. Design for security from the ground up, test often and keep hot security topics in mind at all times. Otherwise, the consequences can be far worse than they might have been.
2. Ignores Conceptual Training
Conceptual training is key: It gives developers solutions to multiple issues — a godsend when new problems (and variations thereof) spring up on a seemingly weekly basis.
Teaching your employees about specific flaws and attacks is important, too, but it's not enough by itself. Instead, make a point of teaching both when it comes time for training. See this article on concepts versus events for further discussion on the topic.
3. Avoids Expert Advice
Approaching expert sources for advice is one of the smartest moves possible when it comes to implementing an effective culture of security. Whether you're talking general consultation or a fresh set of eyes on a project in development, it can help give you and your developers a whole new outlook on what security is and how to approach it.
If you're still figuring out how to implement your own security culture, consider bringing in an expert from the onset. It's tough to cultivate successful change from a faulty premise, and even more difficult to learn something new when you don't know where to start.
A Cultured Outlook
It goes without saying that security is important. And how an organization approaches security is every bit as critical. Even if the desire is there and your staff is totally on board, the wrong outlook can make implementing true change hard — or even impossible.
So take a look at your office's existing security culture; what you find might surprise you. Continue to reiterate your approach, and you'll be more and more capable of keeping ahead of the application security curve.
Photo Source: Flickr