A common mistake that we see organizations make is putting off security until they hire someone who specializes in it. Depending on the size of your company and the nature of your business, this could mean waiting several years to start taking security seriously. In today’s threat environment, that’s not realistic or practical. And, even when you decide you’re ready to bring someone in-house to focus on security — given the current security talent shortage — odds are it could take a while to find the right hire.
This is why we believe that organizations should start thinking about security as a competency, rather than simply a job description. You don’t need to have a CISO or a SOC or even a security analyst on your team before you can start taking steps to improve your security posture. The potential consequences of a breach (financial loss, reputation damage, downtime, or IP loss, to name a few) are too serious to ignore.
With that in mind, here’s how to start viewing security as a skill and how to boost that skill across your organization.
Define What Security Means to Your Organization
Before you start thinking about how to improve your team’s security skills, you need to take a step back and define what security means to your organization. Your unique priorities, regulatory requirements, customer demands, and the nature of your business will all have an impact on what it means for you to be secure, and you can build on that over time. Remember: the goal is not to be the most secure company ever; you just need to be more secure than the average company.
If you are a tech company, one that produces software, then security might mean implementing static code analysis of every piece of software you release. If you are in a field with heavy compliance requirements (e.g., healthcare, finance, government), “being secure” will mean meeting compliance standards such as PCI, HIPAA, and SOC 2 first and foremost. If you are a large enterprise, it could mean defining processes and procedures for all security incidents in a codified, repeatable format.
Regardless, take the time to decide what it means for your organization to be secure. With this answer in mind, you can begin increasing the security skills of your team.
Foster a Security-Conscious Culture
Next, you will want to work on increasing security awareness throughout your organization. One good way to do this is to put together a security awareness program. Because security is both a technical challenge and a people challenge, you want to make sure everyone on your team understands the importance of security and how it fits into their day-to-day responsibilities.
As we explained in an earlier post, a security awareness program should be built on four main pillars:
- Communication: Top-down conversations about what security means and why it matters.
- Checklists: Organized, prioritized list(s) of security best practices that apply to your business.
- Content: A cache of relevant content that employees can reference when it comes to security (or content that can be delivered via training sessions).
- Controls: Safeguards to protect your organization and limit fallout in the event of a security incident.
Regular, ongoing security training should be part of your organizational culture. New hires should get a deep-dive into how you approach security, and employees should be provided with refreshers from time to time. Our “rule of three” for how often to provide security training is:
- When new employees join the team.
- After an incident occurs.
- At regular intervals throughout the year.
Making security a part of the ongoing conversation means that every employee can become a security ambassador, empowered to see security as a skill they possess, not as a person they can run to when stuff hits the fan. Even better, this means that if and when you do decide to hire a security person, you’ll make that person’s job a whole lot easier because you have already established security goals and have a security culture in the organization.
Hire People Who Believe in Security
In addition to inculcating a security culture within your organization, it’s a good idea to hire folks who already believe in the value of security. This is especially true when it comes to technical roles (e.g., DevOps, QA). You should educate your hiring team about why they should be sourcing candidates who understand the importance of security and can demonstrate competency by applying best practices to their roles. Hiring security-minded people is a great way to increase the overall security know-how and competency of your organization.
Put Technology to Work
Besides making security part of your culture and hiring people who believe in it, you’ll need to start taking steps toward becoming a more secure organization. Not sure where to start? We don’t blame you. It can be overwhelming.
The great news is that it has never been easier to start building a solid foundation with security. With a tool like Threat Stack’s Configuration Auditing, for example, you can scan your entire AWS infrastructure and, within seconds, see which AWS services are configured according to industry security standards (AWS Security Best Practices and CIS AWS Foundations Benchmark) and quickly make adjustments to settings that don’t comply.
Continuous Security Improvement
From our view, one of the most important aspects of embracing security as a competency — rather than a person or a team you need to hire — is developing a continuous improvement mindset.
We’ve written before about why you shouldn’t make perfect security the enemy of good security. The reality of today’s threat landscape is that you’ll never be perfectly secure. Instead, you'll do fine if you focus on being more secure today than you were yesterday, and maintain that kind of steady, incremental improvement as your organization grows and evolves. The result will be an organization where security is always an active part of the culture and where it is viewed as a responsibility that is shared by all employees. And that will mean a stronger business overall.