The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=47 Rich Smith
February 05, 2016

The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)

A short presentation given at UTMESSAN in Reykjavík Feb 2016 discussing the importance of security culture in creating effective security organisations and the role of people alongside technology.


Rich Smith

February 05, 2016


  1. 1.

    The Art and Craft of a Meaningful Security Culture UTMESSAN

    2016, Reykjavík Ísland Rich Smith (@iodboi)
  2. 2.

    @iodboi $ whoami • Rich Smith - Brooklyn, NYC •

    Director of Security at Etsy • Co-Founder of Syndis here in Reykjavík • Background in breaking not building: Vuln Research, Exploit Dev, Pen-Testing, Attack Framework Dev … • Now I use that knowledge to build security orgs
  3. 3.

    @iodboi Who? • - Marketplace for handmade & vintage

    items • Gross Marketplace Sales (GMS) $1.93 Billion in 2014 • 22.6M active buyers, 1.5M active sellers • Buying & selling from nearly every country in the world • Offices in 7 countries, HQ in Brooklyn NYC
  4. 4.

    @iodboi What will we talk about? - What is Security

    Culture & why is it important - How to foster your own security culture to 
 improve your organisation’s security - Share the approaches we are taking at Etsy
  5. 6.

    @iodboi Who thinks their organisation has … • A team

    dedicated to security? • An individual dedicated to security? • Security as a portion of someones role? • No one with official security responsibilities? • Has no idea at all !!
  6. 9.

    @iodboi With this perspective it’s easy to see that people

    need to be considered alongside technology when thinking about security
  7. 10.

    @iodboi The time when a single person or team can

    be responsible for an orgs security is long over….
  8. 14.

    @iodboi 'Culture includes a set of shared values, goals, and

    principles that guide the behaviors, activities, priorities, and decisions of a group of people working toward a common objective.' Karl Wiegers, Creating a Software Engineering Culture
  9. 15.

    @iodboi Security Culture • A specialised engineering culture • Understanding

    that security has as much to do with people as it has to do with technology • As an industry, security has done a poor job of discussing the need for positive security culture • Often the approaches focussed on are entirely technical
  10. 24.

    @iodboi A security team’s success should be measured by what

    they enable not by what they block Enabling
  11. 25.

    @iodboi A security team that is open as to what

    it does, and why, spreads understanding and is embraced Transparent
  12. 26.

    @iodboi Security failures will happen, only without blame will you

    be able to understand the true causes Blameless
  13. 32.
  14. 33.

    @iodboi Great culture depends on great people • Abrasive members

    will be the single biggest factor undermining your progressive security efforts • Value social skills as highly as technical skills when making your security hires • ‘Company cultural fit’ critically important
  15. 34.

    @iodboi Security Outreach • Distinct from security education • Focus

    on building relationships • Removes barriers / reduces intimidation • Can be as simple as buying cakes or beer! • Assign budget to this, it will be the best ROI you see
  16. 35.

    @iodboi ‘Sociable conversation is the inevitable product of socializing. Sociable

    conversation is the way that human beings establish trusted relationships among themselves’ Cory Doctorow - Information doesn’t want to be free
  17. 36.

    @iodboi Bootcamps • Have people come and ‘bootcamp’ with security

    • Embracing transparency • Provides insight to daily security issues and concerns • Build strong personal relationships • Seed champions back out to the organization
  18. 37.

    @iodboi Securgonomics • Lowering the barrier to interact with security

    • Too often security teams lock themselves away • Being accessible & visible to everyone is invaluable • Sit on the busiest office pathway you can • Have your security dashboards front & centre
  19. 38.

    @iodboi Security Candy! • Biggest source of security pod ‘drive

    bys’ • IRC bot command so people can see what’s in stock • Graph consumption!
  20. 39.
  21. 40.

    @iodboi Final thoughts • People matter as much (if not

    more) than technology • Building an effective security organisation needs a people and therefore cultural focus • Enable don’t block, else you’ll make security a NOP