Fast forward to January 6th, 2014, the first Monday of the first full week of the New Year – the vapor trail from the parties, great food and drink has dissipated as the reality of a new year with new challenges sets in with your first cup of office coffee.
Your boss enters the room and says, “Happy New Year, sport! What are your thoughts on changing our cyber/application security strategy this year as our department’s New Year’s resolution?” STOP! Before you answer with a knee jerk response like, “Dude, seriously … the coffee hasn’t hit my system yet to start thinking in esoteric terms and the champagne from New Year’s Eve hasn’t completely worked its way out of my system!” What you should say is, “Chief, culture eats strategy for lunch!”
The most successful companies of our time have achieved greatness from executing strategies driven by a culture built on fundamental core principles. Approaching application security with a strategy-only approach will achieve results, but without having a culture of security woven into the fabric of your company, those results will be short lived.
I will briefly discuss the six (6) fundamentals of building a secure culture in your company. None of these are absolute, and your mileage will vary depending on your company’s uniqueness. One other disclaimer: I’m briefly discussing each of these building blocks but each requires much more context than a mention in a blog, but let’s have some fun anyway.
PEOPLE – You’re only as good as your people, and having an effective human capital strategy is essential. Many programmers and managers struggle to understand the difference between secure coding and regular programming. Establishing a continuing education program for all employees starts to remove this layer of fog and arms your most valuable resource with critical knowledge to start building in security from the grass roots. Don’t forget to build in incentives to reinforce the importance of flawless execution, and most importantly, make it fun by adding a sprinkle of gamification!
PROCESS – You don’t know where you’re going if you don’t know where you’ve been! Having a process that is measurable, repeatable and predictable is important in laying your foundation of a secure culture. Having a process in place allows you to experiment by plugging in different concepts and ideas to see their material effect on the outcome to our security posture. This building block is not a light switch you can turn on if you don’t have it and may require some long-term planning, but is very important.
TECHNOLOGY – Don’t stress about picking the right application security analysis tool, just pick one and go with it. Getting the technology right in the beginning isn’t as important as setting the expectation throughout the organization that automation will be part of your secure culture operations without exception.
STANDARDS – Don’t use aviation standards to build mobile apps! There are plenty of published security standards out there. Pick the one that suits your company, product and market and spoon feed these standards to your engineering team gradually over time. It’s a marathon not a sprint.
DATA MANAGEMENT – This is where the fun starts. You might be a little tired when you get here, but when you start to see the data being generated from all of these building blocks, the real work begins. Too many organizations fail by patting themselves on the back at this point, stopping to admire what they have accomplished. But that’s not going to be you! Understanding the data and turning the identified security risks into opportunities for your company to catapult ahead of the competition is the battle cry of carpe diem!
TRANSPARENCY – Providing different views of the same security data to executives and engineers is absolutely essential. Understanding the importance of this information and, even more importantly, collaborating to take advantage of opportunities is the business benefit of having a culture centered around security, ensuring all stakeholders are apprised of its current status.
So, consider yourself totally prepared to have a rocking New Year’s Eve, because now you’re armed with information. When your boss, Skippy, asks you about a sound application security strategy, you can hit a homerun and get back to recovering from your holiday hangover!
Happy Holidays and Cheers!
PSC, Vice President