The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)

Transcript

1. The Art and Craft of a Meaningful Security Culture UTMESSAN

   2016, Reykjavík Ísland Rich Smith (@iodboi)

2. @iodboi $ whoami • Rich Smith - Brooklyn, NYC •

   Director of Security at Etsy • Co-Founder of Syndis here in Reykjavík • Background in breaking not building: Vuln Research, Exploit Dev, Pen-Testing, Attack Framework Dev … • Now I use that knowledge to build security orgs

3. @iodboi Who? • etsy.com - Marketplace for handmade & vintage

   items • Gross Marketplace Sales (GMS) $1.93 Billion in 2014 • 22.6M active buyers, 1.5M active sellers • Buying & selling from nearly every country in the world • Offices in 7 countries, HQ in Brooklyn NYC

4. @iodboi What will we talk about? - What is Security

   Culture & why is it important - How to foster your own security culture to 
 improve your organisation’s security - Share the approaches we are taking at Etsy

5. Disclaimer A + B != Culture

6. @iodboi Who thinks their organisation has … • A team

   dedicated to security? • An individual dedicated to security? • Security as a portion of someones role? • No one with official security responsibilities? • Has no idea at all !!

7. Security from 50,000 ft

8. Technology Society Technology Security

9. @iodboi With this perspective it’s easy to see that people

   need to be considered alongside technology when thinking about security

10. @iodboi The time when a single person or team can

    be responsible for an orgs security is long over….

11. ….it is up to EVERYONE

12. Building an effective security organisation requires the creation of security

    culture

13. But what is security culture?

14. @iodboi 'Culture includes a set of shared values, goals, and

    principles that guide the behaviors, activities, priorities, and decisions of a group of people working toward a common objective.' Karl Wiegers, Creating a Software Engineering Culture

15. @iodboi Security Culture • A specialised engineering culture • Understanding

    that security has as much to do with people as it has to do with technology • As an industry, security has done a poor job of discussing the need for positive security culture • Often the approaches focussed on are entirely technical

16. ‘Classical’ security approaches are not conducive to building a security

    culture people buy into…

17. …in fact they often do quite the opposite

18. @iodboi Classical == Restrictions

19. @iodboi Classical == Blocking

20. @iodboi If security introduces blocking to an org, it will

    be ignored, not embraced

21. @iodboi Classical security values hard technical skills not 
 soft

    interpersonal skills

22. So what is the alternative?

23. @iodboi 3 Principles of Effective Security 1. Enabling 2. Transparent

    3. Blameless

24. @iodboi A security team’s success should be measured by what

    they enable not by what they block Enabling

25. @iodboi A security team that is open as to what

    it does, and why, spreads understanding and is embraced Transparent

26. @iodboi Security failures will happen, only without blame will you

    be able to understand the true causes Blameless

27. @iodboi These principals help share security responsibility amongst the whole

    organisation

28. @iodboi This creates shared objectives around which security culture can

    form

29. Some Practical Steps To Help Foster A Security Culture

30. @iodboi Great culture depends on great people

31. @iodboi Security Team Hiring Number 1 rule …… Don’t Hire

    Assholes

32. @iodboi Security Team Hiring If you inadvertently do, or you

    inherit one…… Remove them ASAP

33. @iodboi Great culture depends on great people • Abrasive members

    will be the single biggest factor undermining your progressive security efforts • Value social skills as highly as technical skills when making your security hires • ‘Company cultural fit’ critically important

34. @iodboi Security Outreach • Distinct from security education • Focus

    on building relationships • Removes barriers / reduces intimidation • Can be as simple as buying cakes or beer! • Assign budget to this, it will be the best ROI you see

35. @iodboi ‘Sociable conversation is the inevitable product of socializing. Sociable

    conversation is the way that human beings establish trusted relationships among themselves’ Cory Doctorow - Information doesn’t want to be free

36. @iodboi Bootcamps • Have people come and ‘bootcamp’ with security

    • Embracing transparency • Provides insight to daily security issues and concerns • Build strong personal relationships • Seed champions back out to the organization

37. @iodboi Securgonomics • Lowering the barrier to interact with security

    • Too often security teams lock themselves away • Being accessible & visible to everyone is invaluable • Sit on the busiest office pathway you can • Have your security dashboards front & centre

38. @iodboi Security Candy! • Biggest source of security pod ‘drive

    bys’ • IRC bot command so people can see what’s in stock • Graph consumption!

39. Wrap up

40. @iodboi Final thoughts • People matter as much (if not

    more) than technology • Building an effective security organisation needs a people and therefore cultural focus • Enable don’t block, else you’ll make security a NOP

41. @iodboi Enabling. Transparent. Blameless

42. <Questions? /> Blog sin-ack.co.uk Presentations speakerdeck.com/iodboi Tweetz twitter.com/iodboi Code github.com/mynameismeerkat