Building A Cyber Security Culture Requires Goodwill
Imagine a world in which cyber security programs could generate goodwill instead of obstacles.
The most difficult inherent contradiction of goodwill, of course, is that goodwill involves giving before getting.
And cyber security teams by design seem to be always asking….or telling. They have the perception of always trying to get something. There’s nothing fundamentally two-way about always trying to get something.
But what if the “asking” and “getting” doesn’t always have to be one sided. Could goodwill somehow become part of the equation?
Let’s reframe the way that we view cyber security from something fundamentally one sided and intrusive into something more of a shared objective and helpful.
Could goodwill be generated in a way that both cyber security teams and business process owners carrying risk could foster a desire to share key objectives?
Sometimes the only cost to cyber teams to garner goodwill that transforms in shared objectives is their time.
Generating goodwill can be structuring a way to formally engage with business process owners with a goal as simple as listening to the business priorities of a team. Once your team understands their priorities, you can then apply some flexibility and empathy in security timelines. By aligning tmelines for security initiatives, you can help support with controls that align with their priorities to get other controls prioritized later on. Other times,you might have to keep a security initiative on hold for that team until they finish their key work in exchange for having your work becoming a priority once they finish.
I can imagine the hardcore cyber practitioners amongst us gritting their teeth right now. But most hardcore cyber practitioners also aren’t good at being situational. I’ll agree that some situations require immediate action in the moment….but most don’t. If something’s been broken for years and the “cost” of getting it fixed on a priority basis is a few weeks, not only will you the fix but you’ll also generate some always needed goodwill. Goodwill that might pay dividends the next time that you need immediate action.
Pro Tip: A great rule that builds trust in sharing objectives and goodwill is to always give full credit to non-security teams that finish work that makes the organization more secure.
The goal shouldn’t be to get credit. It should be to get results. And, if security is loosely defined as “managing broad change for a sustained period of time”, results matter over time….not a single win that loses the rest of the war.
The good news is that not all goodwill requires situational objectives, fierce negotiations, or high cost. For instance, low cost alternatives might be inviting business process owners to local conferences or events. It might mean beginning a set of security focused “Lunch and Learns”. There may be no free lunches but everyone likes lunch. Food and casual conversation can generate both genuine interest and curiosity in cyber security topics as well as goodwill.
Sometimes, you just have to be creative or put more of your own skin in the game.
This year, I’m planning on bringing a big name secure development lifecycle security certification prep course onsite to our company to train and certify our application security team. That said, if it happens, we’d make seats available to various software development leaders to dole out to developers and testers as they please. [Post COVID edit: we still did this by changing the training to remote training]
We did the same previously with more general CISSP training — we hosted an onsite prep course for the cyber team that we opened to other IT teams within the company. The cyber team now has a high percentage of certified members as a result and opening the training resulted in several folks from other IT teams being certified as well. Even if they didn’t gain the cert, having team that cyber engages with in the training session was still a win-win that generated a lot of informal security champions and overall goodwill. We hope for the same with our app sec prep course.
Because you need goodwill in order to be successful in changing a culture.
And, that often means giving before getting.
Or even asking for nothing in return.
Like what you’ve read enough to follow me on Twitter? @Opinionatedsec1.