Changing the Culture Around Info Sec

Posted inInformation Security

The culture around information security is vastly different than what it should be. Professionals are burning out because businesses aren’t handling info sec properly. There’s a shortage of these professionals in the market. Veterans are leaving the industry largely because businesses don’t want to pay large teams of people to make sure tasks are handled properly. A team of four people will never be able to keep up in a company with 10,000 employees. The culture needs to change and adapt with the global changes and rise of cybercrime.

The first step in changing the culture is to make people responsible for their contribution to info sec. Right now, people can point the finger at someone else in another department, or at some other company, and blame them for the problem at hand. Making everyone responsible means they are more likely to treat it info sec seriously and ensure they are doing their part to mitigate risk.

The biggest and most valuable way to change the culture around info sec is by implementing it from the beginning. Startups generally have an attitude of let’s go fast and get this done and we’ll deal with the rest later because it’s about making money. But if you establish a culture around info sec from the beginning, ensuring that the products you are rolling out are secure as you go, you’ll realize that it really doesn’t take much more time than ignoring security. Ignoring security will result in backlash and having to take extra time to go fix the problems that have been ignored. Long term you will gain more speed from approaching security up front.

Established businesses need to take their temperature to see where they are in their journey to becoming secure. If it’s in the early stages, there’s going to be a remediation process. There may be thousands of tickets opened when the process starts, but it’s not feasible to go and close them all at once. Draw a line in the sand and understand that some percentage of your 10,000 tickets are severe enough to shut you down. Fix those. Then go back to setting up policies and procedures, set up security as an enabler and get security involved early in the cycle. Start working fixes into other code edits as you’re refactoring features.

As you build up the culture, problems will remediate themselves. Tickets will get closed and as coders learn the principles of secure coding, what to do and what not to do, your risk profile will shrink.

The key is to start building the culture around info sec as early as possible. For a startup, that means from the birth of your business. For an established business, that means from the moment you start to implement security measures. The earlier you start building the culture, the less risk you assume and the less likely you are to have problems. Once it’s ingrained into your coders and other technology employees, it will become rote. Which is ultimately what you want, security and quality assurance to go hand in hand, resulting in efficiency.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY