Management Tips to adopt a security culture in the world of development
Eureka produces one of the biggest if not the biggest highest-grossing applications on the dating market in Japan, named Pairs and Engage.
In any company and especially ours, it is important to consider security from the beginning to the end of a product conception, in order to show respect to our customers, being sure we take good care of them, while also protecting the interests of our company.
Without security, I do firmly believe that we fail in our responsibility to demonstrate that we care.
One of the biggest questions that you need to ask yourself as a security manager, in a company where security maturity needs to evolve to a world-class level is: How do we make sure that security is well established and is part of a company’s culture, without impacting the business, and slowing down business growth?
This blog post will teach you how Eureka was able to overcome this challenge, and will also teach you tips and tricks to evolve security maturity, whilst gaining senior leadership, and coworkers approval, all while making sure to be able to reserve enough resources to maintain business growth.
Important Questions
At the start, any companies whose security is not part of it’s core culture, bring questions that require serious thinking:
- Developers know about security, but they also have to complete development by a set deadline
- Lack of guardrails to help them develop securely without slowing them down
- Lack of resources to balance security and business growth
Everything starts with a culture change. Senior management needs to know that security is not an afterthought, and security managers need to know that security is not what drives a business.
Security is the principle of protecting business growth, similar to an insurance policy, where security posture improvement reduces risks of hurting our customers and our company, and ultimately it’s profit.
To start off properly
In order to start building a security legacy, and a solid security plan for your business, start by creating a three-year plan:
Take a crawl-walk-run approach.
First assess your company’s security posture by using known frameworks. A good starting point a lot of organizations use is the NIST SP 800–53 framework. Ref: https://nvd.nist.gov/800-53
For each of these controls, take an honest assessment of your current posture, and turn this assessment into a scorecard that you can then present to senior management.
Out of all the controls, I would say that one of the most important ones is security education. Since security resources will always be limited, your co-workers are your frontline security team members. They need to be knowledgeable about security, and know how to detect potential threats to your organization. Security is not only technology, it’s also processes and people, so make sure to run security awareness campaigns, at least twice a year for your coworkers.
Visibility should also be your next priority. It will be very hard for your organization to act upon threats, and mitigate risks, when you are not aware of them. You cannot know what you do not know, so make sure to have a platform where you can log, monitor and generate alerts on findings, and have an incident response plan in place to act when security incidents related to these alerts occur. A good starting point would be to log failed SSH attempts on your bastion hosts or critical instances. Try to leverage native tools that are offered with the technology you work with first, since you already pay for them. This will allow your company to save some costs and make you more credible when it is time to talk about budget.
When it comes the time to get your roadmap approved by the business, use a top-down approach. Don’t try to branch security outside of your team, but go straight to the top and have your approach spread from the top to the bottom. The security team should not be the one negotiating with business units for accepting or refusing your roadmap. This is the responsibility of senior management. They should also be onboard with your plan before anyone else. This approach will make your life much easier.
Business First!
Outside of security roadmaps and planning, get to understand your business!
Many security leads and managers make the error of introducing security to their organization by pushing their security objectives without first understanding the company’s challenges and goals. Taking this approach will for sure make your company be wary of security, and will have them push back on security needs. Instead, take some time to understand how the organization works, what objectives your business are trying to achieve, what can make your approach to security more business-oriented, and align with senior management goals.
Respect the time and resources you have on hand, don’t try to force your way where there is no room for you to force yourself in. You cannot ask your developers to fix vulnerabilities ASAP when the business reserved their man hours for developing new product features. They will not have time for it. Instead ask your business what time they can afford for security, and work with this to start with. Then, discussions are way easier to approach with senior management about recruitment when everyone realizes that the time reserved for security is not sufficient.
In terms of technical, think about technical debt when you consider a security solution. Ask yourself this question: Will I be able to use this technology for the long-term, in alignment with my three-year plan? Technology requires time for consideration, implementation, management and maintenance. If you don’t think about this aspect, it is highly possible that you will waste man hours on the dime of the company for something that will eventually be tossed in the trash.
Word to the wise
My last tip would be: Use all the resources you have, take a bit of each, don’t overwhelm them, developing security in an organization is a marathon, not a sprint.
And remember! For most agile/devops oriented companies, security is at it’s best when it is not felt, but is omnipresent! ;)
