In today’s digital age, cybersecurity has become an essential component of every organization’s operations. Information security (infosec) leaders are increasingly trying to instill a culture of cybersecurity in their companies to ensure that security is part of everything they deliver. However, according to Merritt Baer, a principal in the office of the CISO at Amazon’s AWS service, good intentions are not enough. Culture ultimately reflects what an organization does, and a culture of security can only be achieved by doing it.
According to Baer, security must be central to the value proposition that security leaders offer their stakeholders and users. To accomplish this, security must be woven into core business delivery. For instance, after training 2,000 of its developers in cybersecurity techniques, Amazon saw a 22 percent decrease in medium and high severity vulnerabilities in code. This led to less time spent on security code reviews and reduced friction in the application security process, resulting in significant time savings in the development cycle.
To create a culture of security, employees must be encouraged to make the secure thing the easy thing to do. However, Baer notes that the biggest obstacle to building a cybersecurity culture is the misperception of risk. Most employees believe that security matters, but they are hesitant to move to the cloud or adjust their manual approaches to security because they don’t observe the risks of staying in place. Therefore, the culture of being risk-adverse and being the traditional shop of “no” gets in the way.
To overcome this obstacle, security teams must adopt agile application development methodologies and think of ways to do infrastructure as code or make encryption a policy requirement. To build a security culture, executive sponsorship is also necessary. At Amazon, they have “forced blameless escalation” where anything that goes wrong and isn’t fixed can be reported up the management chain. Senior leadership knows they have to answer the phone for security, making security something everybody has to care about.
In conclusion, building a cybersecurity culture requires action and investment in the day-to-day operations and business priorities that allow security to be a top priority. Companies must demonstrate the value proposition of how security can be part of everything they deliver to their stakeholders and users. By doing this, they can make the secure thing the easy thing to do, and everyone can care about security.