The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=47 Rich Smith
February 05, 2016

The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)

A short presentation given at UTMESSAN in Reykjavík Feb 2016 discussing the importance of security culture in creating effective security organisations and the role of people alongside technology.

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=128

Rich Smith

February 05, 2016
Tweet

Transcript

  1. 1.

    The Art and Craft of a Meaningful Security Culture UTMESSAN

    2016, Reykjavík Ísland Rich Smith (@iodboi)
  2. 2.

    @iodboi $ whoami • Rich Smith - Brooklyn, NYC •

    Director of Security at Etsy • Co-Founder of Syndis here in Reykjavík • Background in breaking not building: Vuln Research, Exploit Dev, Pen-Testing, Attack Framework Dev … • Now I use that knowledge to build security orgs
  3. 3.

    @iodboi Who? • etsy.com - Marketplace for handmade & vintage

    items • Gross Marketplace Sales (GMS) $1.93 Billion in 2014 • 22.6M active buyers, 1.5M active sellers • Buying & selling from nearly every country in the world • Offices in 7 countries, HQ in Brooklyn NYC
  4. 4.

    @iodboi What will we talk about? - What is Security

    Culture & why is it important - How to foster your own security culture to 
 improve your organisation’s security - Share the approaches we are taking at Etsy
  5. 6.

    @iodboi Who thinks their organisation has … • A team

    dedicated to security? • An individual dedicated to security? • Security as a portion of someones role? • No one with official security responsibilities? • Has no idea at all !!
  6. 9.

    @iodboi With this perspective it’s easy to see that people

    need to be considered alongside technology when thinking about security
  7. 10.

    @iodboi The time when a single person or team can

    be responsible for an orgs security is long over….
  8. 14.

    @iodboi 'Culture includes a set of shared values, goals, and

    principles that guide the behaviors, activities, priorities, and decisions of a group of people working toward a common objective.' Karl Wiegers, Creating a Software Engineering Culture
  9. 15.

    @iodboi Security Culture • A specialised engineering culture • Understanding

    that security has as much to do with people as it has to do with technology • As an industry, security has done a poor job of discussing the need for positive security culture • Often the approaches focussed on are entirely technical
  10. 24.

    @iodboi A security team’s success should be measured by what

    they enable not by what they block Enabling
  11. 25.

    @iodboi A security team that is open as to what

    it does, and why, spreads understanding and is embraced Transparent
  12. 26.

    @iodboi Security failures will happen, only without blame will you

    be able to understand the true causes Blameless
  13. 32.
  14. 33.

    @iodboi Great culture depends on great people • Abrasive members

    will be the single biggest factor undermining your progressive security efforts • Value social skills as highly as technical skills when making your security hires • ‘Company cultural fit’ critically important
  15. 34.

    @iodboi Security Outreach • Distinct from security education • Focus

    on building relationships • Removes barriers / reduces intimidation • Can be as simple as buying cakes or beer! • Assign budget to this, it will be the best ROI you see
  16. 35.

    @iodboi ‘Sociable conversation is the inevitable product of socializing. Sociable

    conversation is the way that human beings establish trusted relationships among themselves’ Cory Doctorow - Information doesn’t want to be free
  17. 36.

    @iodboi Bootcamps • Have people come and ‘bootcamp’ with security

    • Embracing transparency • Provides insight to daily security issues and concerns • Build strong personal relationships • Seed champions back out to the organization
  18. 37.

    @iodboi Securgonomics • Lowering the barrier to interact with security

    • Too often security teams lock themselves away • Being accessible & visible to everyone is invaluable • Sit on the busiest office pathway you can • Have your security dashboards front & centre
  19. 38.

    @iodboi Security Candy! • Biggest source of security pod ‘drive

    bys’ • IRC bot command so people can see what’s in stock • Graph consumption!
  20. 39.
  21. 40.

    @iodboi Final thoughts • People matter as much (if not

    more) than technology • Building an effective security organisation needs a people and therefore cultural focus • Enable don’t block, else you’ll make security a NOP