The Art and Craft of a Meaningful Security Culture (UTMESSAN 2016)
A short presentation given at UTMESSAN in Reykjavík Feb 2016 discussing the importance of security culture in creating effective security organisations and the role of people alongside technology.
Director of Security at Etsy • Co-Founder of Syndis here in Reykjavík • Background in breaking not building: Vuln Research, Exploit Dev, Pen-Testing, Attack Framework Dev … • Now I use that knowledge to build security orgs
items • Gross Marketplace Sales (GMS) $1.93 Billion in 2014 • 22.6M active buyers, 1.5M active sellers • Buying & selling from nearly every country in the world • Offices in 7 countries, HQ in Brooklyn NYC
Culture & why is it important - How to foster your own security culture to improve your organisation’s security - Share the approaches we are taking at Etsy
dedicated to security? • An individual dedicated to security? • Security as a portion of someones role? • No one with official security responsibilities? • Has no idea at all !!
principles that guide the behaviors, activities, priorities, and decisions of a group of people working toward a common objective.' Karl Wiegers, Creating a Software Engineering Culture
that security has as much to do with people as it has to do with technology • As an industry, security has done a poor job of discussing the need for positive security culture • Often the approaches focussed on are entirely technical
will be the single biggest factor undermining your progressive security efforts • Value social skills as highly as technical skills when making your security hires • ‘Company cultural fit’ critically important
on building relationships • Removes barriers / reduces intimidation • Can be as simple as buying cakes or beer! • Assign budget to this, it will be the best ROI you see
• Embracing transparency • Provides insight to daily security issues and concerns • Build strong personal relationships • Seed champions back out to the organization
• Too often security teams lock themselves away • Being accessible & visible to everyone is invaluable • Sit on the busiest office pathway you can • Have your security dashboards front & centre
more) than technology • Building an effective security organisation needs a people and therefore cultural focus • Enable don’t block, else you’ll make security a NOP