Forget the tech, security is cultural
Christian Matthies explores how agile security demands radical methods of trust and responsibility for all staff, emphasising the need for a holistic approach that makes security a consideration for everyone in the company.
Christian Matthies, Security Lead, Zalando
Visualise a criminal. What do you see in your mind's eye? Someone wearing a balaclava? Maybe carrying a bag marked with “swag”? More than ever, this image is out of date. Nowadays a criminal is likely to be someone sitting in front of a computer, probing through lines of code, searching for vulnerabilities.
In this environment, where cyber-crime is now more profitable than the global drugs trade, many companies have been slow to react. Security is not at the core of their business, instead operating on the periphery. This could be catastrophic. Pushing security to the side and failing to create strategies that support it across the company is equivalent to dressing like a deer in hunting season: eventually someone is going to get hurt.
Still, even if a business is prioritising security, many make the mistake of not doing so correctly. While technology is vital in protecting a company, there is one thing even more important: people. Whether through phishing, inattention or other factors, a single person can be the weak link that lets attackers through the gates. This need not be the case. Instead, with the right approach, your workers can be your biggest defence against cyber-criminals.
Catching the bug
The first step into turning your tech staff into security stars is a bug bounty programme. Consider Google. It recently paid £17,875 in bounties to bug-reporting researchers. Other organisations are getting involved in this sort of strategy, too. Microsoft has enlisted the help of people far and wide to help solve its bugs. Even Pornhub has got involved, launching a bug bounty programme to protect itself from nefarious hackers.
Organisations are obviously on board with this, but why? Well, a recent study found that researchers found undetected insider threats in 100 percent of companies they analysed. In other words, every single one of them could be completely unaware that they were being hacked from the inside. Even if developers do not mean to, they are invariably creating bugs and security holes through which hackers can attack.
This is why a bug bounty programme is so vital. In many instances, including the above examples, they are only open to external figures, with some even banning those inside a company from getting involved. This is a mistake. If you have an outstanding tech team, they are the best placed to find vulnerabilities.
In this internal initiative, you should reward workers for finding bugs. The key here is expanding it across the entire tech team, not just those in the field. This works for a variety of reasons, with the fact that teams know their own infrastructure best, which cuts down the time it takes to recognise and report bugs, being the most prominent. This is what we have rolled out successfully at Zalando and we have found the key is trust. If you want to thrive as a tech organisation, you need to give workers the tools to operate autonomously and believe in their judgment, something a bug bounty programme in this vein displays.
In this method, you also need to come to a decision about the compensation you deliver to your staff. This will be the motivation for them doing a task outside the parametres of their normal work and must be a choice heavily informed by your company's culture. In some places, simple financial compensation might work, while in others it might be running leaderboards, giving out awards or offering chances to win time off. Whatever it is, find something that works for your business and you will see an exponential increase in bug reporting.
Don't get mad, get competing
While bug reporting is a way to cut down on the number of vulnerabilities in software, it can struggle to get people actually excited about security. While it might not be the most riveting topic for some, there are a variety of techniques you can use to drive interest. For example, why don't you run a security event?
When I say event, do not take this as a conference or a lecture. Instead, it is all about competitions. For example, an initiative we have had success with at Zalando has been “Capture The Flag” contests. The idea behind this is to simulate a real-world hacking experience and really put some personality into the security process. In it, people competed to find the most bugs or to access planted ‘confidential information'.
There are several different ways this can be altered to fit your company, too. Rather than focusing on individuals, you could have a team-based competition or split off by interests. Or rather than catching bugs, focus on other security flaws. What you cannot lose sight of though is fun. It should be a competitive way to encourage people to get involved, almost gamifying security.
Championing your champions
Despite the above tactics, there will always be people who are more dedicated and excited about security than others. Rather than just accepting them as part and parcel of office life, you should make use of their talents. What does that mean? Making them Security Champions.
The idea behind this is to give people in other departments a holistic, complete view of security. Again, this is something that works incredibly well at Zalando. What it has achieved is creating a set of individuals who are well-versed in security fundamentals and can take these lessons to others in their team, creating a rounded development method. By training people to understand threat modeling, data privacy law, and other security concepts, they can become a vital addition to the security team of a company, despite not working directly with them.
Still, it is important to note that these people should choose to do this because they want to. If they are forced into these type of activities they will not deliver the same type of results. Volunteering and a culture that encourages this is essential in the success of Security Champions.
Getting down to business
Finally, we need to put the opening of this piece into practice: security impacts everything. Over the past few years it has moved from a niche concern into something arguably as vital as sales or development. While security professionals are fully aware of this, many in the company will not be. This is why you need to tell them.
In many respects, the security team is responsible for educating the rest of the company. Whether it is in legal, marketing or at the C-suite level, individuals need to understand and recognise the importance of security to their day-to-day lives. Whether this is about data protection or what they can do in their roles to make them safer, it cannot be ignored.
The solution? As dull as it sounds, this can be achieved by running a range of meetings. That word is important though; meeting. This should not be a lecture where the security team overloads a group of people with information. Instead, it should be a conversation where each group shares their biggest concerns and hopes for security, shaping and creating a people-centric approach to the issue.
Ultimately, security is a cultural issue. A company could have the greatest team in the world, working with the slickest technology, but if others in the organisation do not take security seriously, they could still get breached. What is needed is a holistic approach, one that makes security a consideration for everyone in the company. Whether this is achieved through competition, co-operation or coercion depends on the nature of your own business. What cannot be forgotten though is security is at the core of your company, whether you like it or not. You wouldn't leave your house with all the doors and windows open, so why do the same with your company?
Contributed by Christian Matthies, Security Lead, Zalando