How to Build a Security Culture - Whiteboard Wednesday
Summary
TLDRIn this Whiteboard Wednesday, Beau Kim emphasizes the importance of a strong security culture for organizations, highlighting the need to balance people, technology, and processes. He discusses the significance of leadership support, department champions, effective security awareness training, active security posture testing, and continuous communication to foster a shared sense of security ownership and reduce vulnerabilities.
Takeaways
- 🛡️ The necessity of a strong security culture is underscored by the fact that it involves people, technology, and processes, with a focus on the human element.
- 👥 A company culture, particularly a security culture, is defined by the collective beliefs and behaviors of its employees.
- 📊 The 2017 Verizon DB report highlighted that nearly half of all breaches began with a social attack, emphasizing the importance of focusing on people in security strategies.
- 🔝 Leadership support and buy-in are critical for establishing a strong security culture, as it sets the tone from the top down.
- 📊 Effective security awareness training is essential for employees to understand what constitutes suspicious activity and how to report it.
- 📈 A tiered approach to security training can help cater to different levels of risk and roles within an organization.
- 🔍 Actively testing security posture through social engineering campaigns can help identify and educate on potential vulnerabilities.
- 🔄 Continuous improvement of security awareness training is necessary to adapt to new risks and organizational changes.
- 📢 Transparent and continuous communication is key to maintaining a strong security culture, with quick responses to employee reports.
- 🏆 Recognizing and rewarding employee efforts in security, whether it's an incident or a false positive, helps build a shared sense of ownership.
Q & A
What is the main focus of today's Whiteboard Wednesday discussion?
-The main focus is the importance of a strong security culture and the four essential components needed to build one.
Why is it crucial to have a strong security culture within an organization?
-A strong security culture is crucial because it helps to ensure that all employees understand what's right versus wrong, how to report suspicious activities, and promotes a shared sense of ownership for security, thereby reducing the risk of breaches.
What are the three major components that need focus when building a strong security program?
-The three major components are people, technology, and processes, often referred to as the 'people, technology, and processes triangle'.
According to the Verizon DB report mentioned, what percentage of breaches start with a social attack?
-43% of all breaches covered by the 2017 Verizon DB report started with some type of social attack.
How can a company's leadership support the development of a strong security culture?
-Leadership can support the development of a strong security culture by providing buy-in, clearly communicating the company's security posture, and aligning security initiatives with larger company objectives.
What is the role of department team champions in building a security culture?
-Department team champions provide feedback on new security initiatives and help to reinforce security practices within their teams and departments.
Why is effective security awareness training essential for a strong security culture?
-Effective security awareness training ensures that employees clearly understand what's right versus wrong, what data to protect, and how to report suspicious activity.
What is a tiered or targeted approach to security awareness training?
-A tiered or targeted approach to security awareness training involves providing different levels of training based on the roles and access levels within the company, with more in-depth training for those with higher risk and access.
How can social engineering campaigns help in testing a company's security posture?
-Social engineering campaigns, such as internal phishing campaigns, allow companies to test how well employees can detect and report suspicious activities, thereby identifying areas for improvement.
What is the importance of continuous communication in maintaining a strong security culture?
-Continuous communication ensures transparency, approachability of the security team, and quick response to employee reports. It also helps in building a shared sense of security ownership.
How should a company respond to failed phishing attempts during social engineering campaigns?
-Instead of punishing, companies should use failed phishing attempts as an opportunity to further educate employees on what could have happened if it were a real attack, reinforcing learning and improving security awareness.
Outlines
🛡️ Building a Strong Security Culture
Beau Kim, Senior Director of Information Security at Imperva, introduces the concept of a strong security culture and its importance in today's business environment. He explains that focusing solely on technology and processes can lead to a weak security posture, and emphasizes the need to balance this with a focus on people and company culture. A strong security culture involves employees understanding what constitutes suspicious activity and how to report it. Kim highlights that people are a significant attack vector, citing a 2017 Verizon DB report that 43% of breaches began with a social attack. He stresses the need for shared ownership of security within an organization, rather than it being seen as someone else's responsibility. Kim suggests starting with leadership support and buy-in, and using a high-level security domain dashboard to communicate the company's security posture and initiatives. He also mentions the importance of department team champions to provide feedback on new security initiatives.
📚 Security Awareness Training and Continuous Improvement
The second paragraph delves into the necessity of effective security awareness training for employees to understand what is right and wrong in terms of security practices. Beau Kim suggests a tiered approach to training, with general awareness at the bottom and more targeted training for those with higher risk or access to sensitive data. He also discusses the importance of adjusting training as new roles or business units are created. Kim then talks about the need to actively test security postures through social engineering campaigns, which can help employees detect and report suspicious activity. He differentiates this approach by advocating for remediation over punishment, using incidents as learning opportunities. The final component discussed is continuous communication, emphasizing the importance of transparency, approachability, and quick response to employee reports. Kim suggests distributing internal reports to show the company's security posture and reinforce new initiatives, encouraging a shared sense of security ownership among employees.
Mindmap
Keywords
💡Security Culture
💡People, Technology, and Processes Triangle
💡Social Engineering
💡Leadership Support
💡Security Domain Dashboard
💡Security Awareness Training
💡Data Classification
💡Account Takeover
💡Social Engineering Campaigns
💡Remediation
💡Continuous Communication
Highlights
The importance of a strong security culture and its four essential components are discussed.
A strong security program requires a balance of people, technology, and processes.
Security professionals often focus more on technology and processes, neglecting the people aspect.
A company culture is defined by its beliefs and resulting behaviors.
Employees in a strong security culture understand what's right versus wrong.
People are a major attack vector, with 43% of breaches starting with social attacks.
A weak security culture leaves the organization vulnerable to attacks.
Security should be a shared responsibility, not someone else's.
Leadership support and buy-in are crucial for building a strong security culture.
Company culture is defined from the top, and leadership sets the tone.
Security professionals need to communicate the current security posture and upcoming initiatives.
Imperva uses a high-level security domain dashboard to score and represent security.
Department team champions help provide feedback on new security initiatives.
Effective security awareness training is essential for a strong security culture.
A tiered approach to security awareness training is recommended.
Continuous adjustment and improvement of security awareness training is necessary.
Actively testing security posture through social engineering campaigns is important.
Remedy, rather than punish, is the approach to take after a failed phishing attempt.
Continuous communication and transparency are key to a strong security culture.
Rewarding employee behavior for reporting helps build a shared sense of security ownership.
Internal reports showing the company's security posture and new initiatives should be distributed.
Transcripts
[Music]
hello everyone and welcome to today's
whiteboard Wednesday my name is beau Kim
I'm the senior director of information
security here at Imperva and for today's
topic we're going to be discussing the
importance of a strong security culture
and four essential components needed to
build one so to begin let's talk about
the reason why we need a strong security
culture as with any other major business
objective or initiative when we are
trying to build a strong security
program within our organization we need
to focus on three major components and
that's going to be the infamous people
technology and processes triangle a lot
of times though unfortunately we find
ourselves as security professionals
focusing a lot more on the technology
and processes side which puts us at a
unbalanced and weak position today we're
gonna be talking about what we can do to
focus more on the people aspect or
component and in this context we're
really talking about company culture so
a company culture is basically the
beliefs and resulting behaviors of the
organization so in an organization that
has a strong security culture employees
have a clear understanding of what's
right versus wrong the type of activity
that they should report on in terms of
being suspicious and who and how to
contact the right team so people are a
major attack vector the 2017 Verizon DB
are showed that 43% of all breaches that
they covered started with some type of
social attack if we continue to position
ourselves in a weak position focus
purely on technology and processes we're
essentially leaving ourselves vulnerable
to an attack vector that accounts for
nearly half of all current day breaches
and then finally in a in a company that
doesn't have a strong security culture
security becomes someone else's
responsibility and the whole point of a
strong security culture is to have a
shared sense of ownership and so we know
that someone else's responsibility is
definitely not where we want to be first
and foremost the biggest impact you can
make on your company's security culture
is to start at the top and get your
leadership support and buy-in company
culture is absolutely defined from the
top leadership brings throughout the
organization and just like any other
business unit we as security
professionals need to do a good job in
really communicate where we are in terms
of our current company security posture
and clearly communicate some of our
upcoming security initiatives and this
can obviously be done through frequent
and reporting however don't just stick
to some of the low level security
metrics be able to tie it into some
larger level objective or initiative
that aligns with your company's
objectives or clearly states or clearly
represents a true risk to the company so
for example here at Imperva we start
with a high-level security domain
dashboard where basically we've broken
out our security program into the major
security domains that we feel define it
and then we score it from a scale of
zero to five which essentially is an
adoption of the enterprise maturity
model each of those scores are then
represented or reinforced through
supporting metrics and KPIs so that we
know where we need to get some of the
domains that we report on for example
our effective security awareness
training with a supporting metric of
failed phishing awareness attempts
another example would be our defensive
posture against account takeover and
with a supporting metric of percentage
of systems behind multi-factor
authentication once you have that
leadership buy-in and support make sure
you start to move further south into the
organization and establish department
team champions and these are going to
basically be the local teams and the
local departments and leaders of those
departments that can help provide that
feedback once you're rolling out new
security initiatives the second
component is going to be effective
security awareness training simply put
you can't have a strong security culture
without your employees clearly
understanding what's right versus wrong
what it is that you're trying to
actually protect so your data
classification and also how to report
suspicious activity and to what team so
one way that you can actually build your
security awareness training programs is
to approach it from a tiered or targeted
approach and so as you can see in this
triangle as we go up the triangle risk
goes up but the exposure there amount of
roles within the
company decrease so at the bottom level
where the triangle is the widest
we start with your general security
awareness training an example of an
element of this training would be your
data classification again everyone needs
to know what you're trying to actually
protect to take that example one step
further so for example if you were a
software company source code is probably
going to be pretty high on that list as
you move up though the people that
actually have access to that source code
or at that intermediate level and so
they need to get a little bit more
targeted training and then finally the
people that are the administrators the
ones that actually administer your
source code repositories are gonna have
that in-depth training because as we go
up again the risk goes up and then
finally you want to continuously adjust
to improve so if there's any new risks
or any new roles or business units
created within your organization you
want to reassess to ensure that this is
current and that you're covering all
roles within the organization the third
component is gonna be to actively test
your security posture
you can't just simply rely on your
passive security awareness training and
one way you could clearly do this is
through social engineering campaigns or
in other words internal phishing
campaigns and what this does is it gives
your employees the ability to test their
knowledge on how to detect suspicious
activity and then also how to report it
to the right team one of the key
differentiators here and biggest impacts
you can make though with this component
is your remediation instead of punishing
your team should take this as an
opportunity to educate the employee
further so for example if there was a
failed phishing attempt the employee
that was affected your team should
approach them and basically let them
know essentially what assets within the
organization could have been breached or
what path could the malware have taken
the fourth component is going to be
continuous communications the bottom
line here is transparency is key your
team needs to be approachable the
channels that you've set aside for your
employees to contact your security team
when they're used they need to be
responded to very quickly your employees
need to understand that you take their
reports very
see and that it helps build that shared
sense of security ownership also
regardless of whether it's an incident
or actual incident or false positive
reward their behavior so that again
you're building that shared sense of
security of ownership and finally
similar to what we were doing with the
leadership reports feel free to
distribute internal reports that show
the current posture of the company and
then also reinforce some of the new
initiatives that you're deploying within
your organization so if you have a new
security awareness training initiative
or campaign that show that the
improvements or quarter-over-quarter to
your employees so that they understand
that their efforts are part of a larger
initiative thank you for joining today's
whiteboard Wednesday
I hope the topic that we discussed today
helps you build a stronger security
culture within your organization we look
forward to you joining us in future
sessions
[Music]
関連動画をさらに表示
GitLab: DevSecOps: Part 1/12: What is GitLab? The fundamental concepts of a DevSecOps pipeline.
How Tide transitioned to developer-first security with Semgrep
Google Android vs Apple iOS: Which is Better for Privacy and Cybersecurity?
Interview with an Expert - Michael Babischkin: CyberSecurity
CompTIA Security+ SY0-701 Course - 4.7 Explain the Importance of Automation and Orchestration
IT Audit For Beginners: What is an IT Audit? | ACI Learning Audit
5.0 / 5 (0 votes)