The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=47 Rich Smith
February 05, 2016

The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)

A short presentation given at UTMESSAN in Reykjavík Feb 2016 discussing the importance of security culture in creating effective security organisations and the role of people alongside technology.

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=128

Rich Smith

February 05, 2016
Tweet

Transcript

  1. The Art and Craft of a Meaningful Security Culture UTMESSAN

    2016, Reykjavík Ísland Rich Smith (@iodboi)
  2. @iodboi $ whoami • Rich Smith - Brooklyn, NYC •

    Director of Security at Etsy • Co-Founder of Syndis here in Reykjavík • Background in breaking not building: Vuln Research, Exploit Dev, Pen-Testing, Attack Framework Dev … • Now I use that knowledge to build security orgs
  3. @iodboi Who? • etsy.com - Marketplace for handmade & vintage

    items • Gross Marketplace Sales (GMS) $1.93 Billion in 2014 • 22.6M active buyers, 1.5M active sellers • Buying & selling from nearly every country in the world • Offices in 7 countries, HQ in Brooklyn NYC
  4. @iodboi What will we talk about? - What is Security

    Culture & why is it important - How to foster your own security culture to 
 improve your organisation’s security - Share the approaches we are taking at Etsy
  5. Disclaimer A + B != Culture

  6. @iodboi Who thinks their organisation has … • A team

    dedicated to security? • An individual dedicated to security? • Security as a portion of someones role? • No one with official security responsibilities? • Has no idea at all !!
  7. Security from 50,000 ft

  8. Technology Society Technology Security

  9. @iodboi With this perspective it’s easy to see that people

    need to be considered alongside technology when thinking about security
  10. @iodboi The time when a single person or team can

    be responsible for an orgs security is long over….
  11. ….it is up to EVERYONE

  12. Building an effective security organisation requires the creation of security

    culture
  13. But what is security culture?

  14. @iodboi 'Culture includes a set of shared values, goals, and

    principles that guide the behaviors, activities, priorities, and decisions of a group of people working toward a common objective.' Karl Wiegers, Creating a Software Engineering Culture
  15. @iodboi Security Culture • A specialised engineering culture • Understanding

    that security has as much to do with people as it has to do with technology • As an industry, security has done a poor job of discussing the need for positive security culture • Often the approaches focussed on are entirely technical
  16. ‘Classical’ security approaches are not conducive to building a security

    culture people buy into…
  17. …in fact they often do quite the opposite

  18. @iodboi Classical == Restrictions

  19. @iodboi Classical == Blocking

  20. @iodboi If security introduces blocking to an org, it will

    be ignored, not embraced
  21. @iodboi Classical security values hard technical skills not 
 soft

    interpersonal skills
  22. So what is the alternative?

  23. @iodboi 3 Principles of Effective Security 1. Enabling 2. Transparent

    3. Blameless
  24. @iodboi A security team’s success should be measured by what

    they enable not by what they block Enabling
  25. @iodboi A security team that is open as to what

    it does, and why, spreads understanding and is embraced Transparent
  26. @iodboi Security failures will happen, only without blame will you

    be able to understand the true causes Blameless
  27. @iodboi These principals help share security responsibility amongst the whole

    organisation
  28. @iodboi This creates shared objectives around which security culture can

    form
  29. Some Practical Steps To Help Foster A Security Culture

  30. @iodboi Great culture depends on great people

  31. @iodboi Security Team Hiring Number 1 rule …… Don’t Hire

    Assholes
  32. @iodboi Security Team Hiring If you inadvertently do, or you

    inherit one…… Remove them ASAP
  33. @iodboi Great culture depends on great people • Abrasive members

    will be the single biggest factor undermining your progressive security efforts • Value social skills as highly as technical skills when making your security hires • ‘Company cultural fit’ critically important
  34. @iodboi Security Outreach • Distinct from security education • Focus

    on building relationships • Removes barriers / reduces intimidation • Can be as simple as buying cakes or beer! • Assign budget to this, it will be the best ROI you see
  35. @iodboi ‘Sociable conversation is the inevitable product of socializing. Sociable

    conversation is the way that human beings establish trusted relationships among themselves’ Cory Doctorow - Information doesn’t want to be free
  36. @iodboi Bootcamps • Have people come and ‘bootcamp’ with security

    • Embracing transparency • Provides insight to daily security issues and concerns • Build strong personal relationships • Seed champions back out to the organization
  37. @iodboi Securgonomics • Lowering the barrier to interact with security

    • Too often security teams lock themselves away • Being accessible & visible to everyone is invaluable • Sit on the busiest office pathway you can • Have your security dashboards front & centre
  38. @iodboi Security Candy! • Biggest source of security pod ‘drive

    bys’ • IRC bot command so people can see what’s in stock • Graph consumption!
  39. Wrap up

  40. @iodboi Final thoughts • People matter as much (if not

    more) than technology • Building an effective security organisation needs a people and therefore cultural focus • Enable don’t block, else you’ll make security a NOP
  41. @iodboi Enabling. Transparent. Blameless

  42. <Questions? /> Blog sin-ack.co.uk Presentations speakerdeck.com/iodboi Tweetz twitter.com/iodboi Code github.com/mynameismeerkat