This post is also available in: 日本語 (Japanese)
Dear Executive,
Last night, your company was breached, and it was potentially you who allowed that to happen.
“How is this possible?” you say. “I spent the money. I hired the people. I bought [insert flavor-of-the-year security solution]. I attended the conferences and went to the classes. We were locked down!”
Your manifold millions of dollars of security solutions and personnel were subverted in a savvy feat of technomancy by threat actors and, instead of some new zero day, they exploited a CVE from 2019. The reason they could had everything to do with your corporate culture.
“But we have great corporate culture! Our people are happy and enthusiastic!”
While that is a valuable advantage for a company to have, through action – or inaction – leaders frequently also create a culture of intimidation and reluctance to innovate and speak out in their organizations. This happens by fostering a focus on delivering the production objectives of leadership at all costs. When security hygiene is not held in the same reverence as production, it creates an atmosphere where maintaining production levels dominates and the drive to stay secure surrenders to fear.
TL;DR: People stop innovating when they fear retaliation.
Does the organization create a culture of security as a core philosophy?
Even casual negative comments dropped in conversation from leadership can have an effect at the working level that will make any enterprise lumber like Frankenstein instead of dancing like Fred Astaire.
A culture of fear and retaliation flows from the top. Conversely, it must stop at the top, and not just implicitly. Understanding and wisdom must be driven from the top in outspoken terms and backed up with actions.
The key is to rationally accept risk and explicitly state that people won’t lose their jobs due to an incident – if they responsibly innovate. You have to back your words up with top cover.
Being a leader means taking the heat when security innovation might cause disruptions – and having the wisdom to keep doing it.
So what are some simple steps executives can take to build a smart security culture?
Executives must broadcast their stance that security is an evolving field and requires agility and tolerance of change. Agile organizations are ready to embrace the concept espoused by the legendary Bruce Lee: "Empty your mind, be formless, shapeless, like water. If you put water into a cup, it becomes the cup."
Security’s “cup” will change before the paint is dry on the latest whizbang security appliance and the “water” will need to flow into it. Threats on the internet are inherently asymmetric,* and we will never know when it is coming or what form it will take.
With the grace to tolerate calculated risk internally, Executives become the inspiration for their organization to grow.
Without it, security becomes secondary and the organization risks becoming the news article outsiders cite in their next security expenditure justifications.
For more on how to improve security operations, read our series, “Elements of Security Operations.”
*Asymmetric warfare (military concept) is conflict between belligerents whose relative capacity to make war differs significantly and implies irregular attack intervals and wildly changing vectors to subvert static defenses.
Bruce Hembree is a Cortex Field CTO for Palo Alto Networks.
Andre Ludwig is Chief Product Officer for Bricata.
Sasha Hellberg is Senior Manager of Threat Intelligence at Bell Canada.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.