Adapting a Security Mindset for Your Business

There is a direct correlation between the strength of your security culture and the security of the applications and products you build. Security culture is what happens on Friday at 5pm when people are left to make their own decisions. Imagine that a developer has a release due at the end of the week. There is a known vulnerability, so they have to decide whether to push that code out into production. Your security culture is defined by what that developer does at that moment. If they have the flexibility to wait to fix it on Monday, then push out the release, they’re part of a very strong security culture. If they have the pressure to push that release out regardless of the vulnerability consequences, they have a weak security culture.

 

Security culture impacts everybody within the organization. It includes the security team, hardware engineers, program or project managers, testers, SREs, and the release team. Of course, you must include executive managers and developers.

 

Security impacts everybody from the person at the front desk to HR and finance. For the developers and hardware engineers, security must impact their job daily. The goal is to have everybody think of themselves as a security person. We want them to apply basic security practices and learn in their day to day working environment. If everybody thinks like a security professional, you’ll have a secure environment. Never say security is someone else’s job. Security is all of our jobs.

 

The security mindset starts with knowledge. We have to ensure that everyone has the fundamental and foundational knowledge about application and product security. We also want everyone to understand who the attackers are and what attacks and techniques they will use. That’s the foundational layer. Imagine the power of an organization filled with folks in various roles with various responsibilities for products or apps with a security mindset. That is something exciting to think about.