The culture around information security is vastly different than what it should be. Professionals are burning out because businesses aren’t handling info sec properly. There’s a shortage of these professionals in the market. Veterans are leaving the industry largely because businesses don’t want to pay large teams of people to make sure tasks are handled properly. A team of four people will never be able to keep up in a company with 10,000 employees. The culture needs to change and adapt with the global changes and rise of cybercrime.
The first step in changing the culture is to make people responsible for their contribution to info sec. Right now, people can point the finger at someone else in another department, or at some other company, and blame them for the problem at hand. Making everyone responsible means they are more likely to treat it info sec seriously and ensure they are doing their part to mitigate risk.
The biggest and most valuable way to change the culture around info sec is by implementing it from the beginning. Startups generally have an attitude of let’s go fast and get this done and we’ll deal with the rest later because it’s about making money. But if you establish a culture around info sec from the beginning, ensuring that the products you are rolling out are secure as you go, you’ll realize that it really doesn’t take much more time than ignoring security. Ignoring security will result in backlash and having to take extra time to go fix the problems that have been ignored. Long term you will gain more speed from approaching security up front.
Established businesses need to take their temperature to see where they are in their journey to becoming secure. If it’s in the early stages, there’s going to be a remediation process. There may be thousands of tickets opened when the process starts, but it’s not feasible to go and close them all at once. Draw a line in the sand and understand that some percentage of your 10,000 tickets are severe enough to shut you down. Fix those. Then go back to setting up policies and procedures, set up security as an enabler and get security involved early in the cycle. Start working fixes into other code edits as you’re refactoring features.
As you build up the culture, problems will remediate themselves. Tickets will get closed and as coders learn the principles of secure coding, what to do and what not to do, your risk profile will shrink.
The key is to start building the culture around info sec as early as possible. For a startup, that means from the birth of your business. For an established business, that means from the moment you start to implement security measures. The earlier you start building the culture, the less risk you assume and the less likely you are to have problems. Once it’s ingrained into your coders and other technology employees, it will become rote. Which is ultimately what you want, security and quality assurance to go hand in hand, resulting in efficiency.