Skip to content

Culture trumps technology

Technology is used to support your culture

Culture is the default behaviour of an organisation. Culture is the thing that informs behaviour and is what people fall back on. This is especially true in times of stress or pressure.

Technology is used to support your culture. Technology is supposed to be an enabler for your business. What this means is that the technology choices you make should make it easy for people to make good choices, get data about the things they build & support change where needed.

As security people we are often tasked with 'keeping the organisation safe'. However in a lot of cases the things that need to be done to achieve this are outside of the security organisation. Which leads us to the next point.

Security is everyone's job

Your business isn't just a bunch of microservices, your transactional web application or your analytics platform. It's people as well. These people are going to be making decisions each day from deciding your container strategy to the flow of a user through an application. If each of these decisions have to go through a person with security in their job title then the business can't move at the speed they need to. Typically there are 100s of developers, engineers & architects for every 1 security person. You can't scale this with humans. Or at least, you can't scale this by relying on humans who have the word security in their job title. The decsions that affect the security of your organisation will be made by everyone in the business. So how do you scale the smaller number of security folks?

The job of security professionals is to help everyone else make good security decisions

You do this by creating an environment where the easist thing to do is the [appropriately] secure thing. Our job is to educate and enable. We can do this in a few ways. We can build a technology environment where the services that people need to build applications are easily consumable. This could be a source of known good AMIs as a starting point for deploying EC2 instances as well as the tests that can be run by asset teams to help them understand if their configuration is moving aware from the known good state. It could be an endpont in every environment where people can send logs to so the data can be aggregated and viewed. It could be an identity platform with an SDK that people use when then build customer facing applications. These are all things that enable people to build sensibly.

From an education perspective we, as security people, should be explaining why we are asking for certain outcomes. It is likely that the engineers in your organisation will be able to help you get to the outcome once they understand the problem. It also means that we get away from the traditional security approach of turning up to tell people they can't do a thing without having told them up front why it is bad.

Talk to each other

We are all trying to solve the same problem. We are all trying to ensure that the companies we work for or with are able to deliver application to the end customers. Customer trust is hugely important, whatever your industry, so keeping people's information safe is a foundational functional requirement. We may have different perspectives and be measured in different ways. Working together means that we can learn from each other, be better than we were yesterday and improve the experience for all concerned.

By talking to people outside our silos (and making sure we listen as well) we can elevate our culture, improve our security posture and focus on the things that really matter.

How do you get started?

Get together with people from other parts of your business. Look at yourself. How are you helping other parts of your organisation understand what your perspective is and are you listening to theirs? Are you engaging your security people early enough so that you have time to work through things together. When engineers ask for capability are you understanding why?

Start cross functional teams. Regularly working together helps build a sense of collaboration. Look at the challenges multiple teams are having and see if you can build capability that helps all of them. See where the people doing good things are in your organisation and get them to contribute back to the wider community. Make sure you have diversity of thought, just because you have not thought of something doesn't mean it is not important.

Be optimistic

It is very easy in security to focus only on what could go wrong. Look instead for how you can improve. How can the technology choices you make support the culture of security that will mean you can solve the hard problems today and in the future.