In today’s rapidly evolving digital landscape, we can no longer rely on a centralized security team as the sole gatekeeper of our organizations’ digital strategy. The traditional model of relegating security to compliance is no longer sufficient.
Instead, security must become an integral part of your company culture, woven into every decision and action taken by employees at all levels. There needs to be a leadership buy-in and be part of every significant technical discussion.
The Problem
In recent years, there has been a surge in high-profile security breaches, each serving as a reminder that inadequate security measures can have devastating consequences. These breaches result in financial losses, cause long-term damage to a company’s reputation, invite regulatory oversight, and hurt customer trust.
If personally identifying information is breached, it can lead to customers suffering from identity theft. The Department of Justice released their report – Data Breach Notifications and Identity Theft, 2021. The key findings were
- In 2021, 12% of all persons aged 16 or older were notified that an entity with their personal information experienced a data breach in the prior 12 months (figure 1).
- Victims of identity theft (24%) were twice as likely as non-victims (11%) to learn that an entity with their personal information experienced a data breach in the past year.1
- Victims of multiple types of identity theft (32%) were more likely than victims of existing credit card (25%), bank (16%), or email or social media account (23%) misuse to learn that an entity with their personal information experienced a data breach.
Consider the 2017 Equifax breach, which exposed the sensitive personal information of 147 million people. The company faced a staggering $700 million settlement and suffered immeasurable damage to its reputation.
Similarly, the SolarWinds supply chain attack in 2020 affected thousands of organizations worldwide, including multiple U.S. government agencies. The full extent of the damage is still being assessed, with estimates running into billions of dollars.
As we can see, the impact is significant, and there is a critical need for an approach that scales, is comprehensive, and focuses more than checking checkboxes on compliance forms.
Centralized Security Team – Pros and Cons
Traditionally, organizations have relied on centralized security teams to manage their cybersecurity needs. While this approach has merits, it also has significant limitations.
| Criteria | Centralized | Distributed |
| Consistency and Coherency | Consistency in security practices across the organization | Potential disconnects from broader security practices |
| Responsibility and Accountability Model | Centralized oversight and governance. Risk being perceived as overbearing | Individual teams have more flexibility and are given more leeway to determine specialized policies to suit their needs. Considered less overbearing. |
| Scalability | Efficient Allocation of resources. Difficulty in scaling a single team for the entire company | Duplication of resources, but possible to scale up for an entire company |
As highlighted in the IANS Research article, a hybrid approach that combines centralized oversight with decentralized execution can offer a balance. This model involves creating a service-oriented security organization that provides essential security functions while allowing flexibility and responsiveness to individual business unit needs.
One shortcoming of the above research article is that it assumes security is one size fits all, which can be checked off with checklists. Security is a process and a culture where nuanced decisions must be made. This means the distributed security structure is critical, as the individuals working closely with the product better understand the intricacies and threat model.
Adoption of a new culture
It is crucial to instill a new cultural mindset that integrates security into the very fabric of the organization. This shift in culture entails:
- Making every individual accountable for security, not solely relying on the central security team
- Promoting transparent discussions about security issues and occurrences
- Cultivating a mentality of continuous growth and adaptability in light of advancing threats
- Acknowledging security achievements and gleaning insights from setbacks without assigning blame
This cultural transformation necessitates unwavering leadership support, consistent communication, and concrete steps that demonstrate the organization’s dedication to security.
Central team vs individuals – separation of responsibilities
While shifting towards a security-conscious culture, it’s crucial to delineate responsibilities between the central security team and individual employees. There should be no overlap or ambiguity.
| Central Security Team | Individuals |
| Developing and maintaining security policies and standards | Following security best practices in their daily work |
| Providing specialized security services (e.g., threat hunting, incident response) | Identifying and reporting suspicious activities or potential security incidents by analyzing their product usage |
| Offering guidance and support to business units | Receive guidance and participate in security programs |
| Conducting security assessments and audits | Considering security implications in their decision-making processes |
Fund an Internal Security University Program
Unfunded mandates are a slow-ticking time bomb. If the company considers security crucial and mandates that everyone play their part, it needs to fund a training and support program.
The best way to start is to invest in a comprehensive security education, which they can call “Security University” within the company. The company should ensure that each individual who needs to be trained has time allocated to go through the learning exercise and an opportunity to put it into practice.
This “Security University” should:
- Offer role-specific security training
- Provide hands-on labs and simulations
- Keep employees updated on the latest threats and mitigation strategies
- Foster a community of security champions across the organization
Lastly, the company should have some support resources for individuals to fulfill their responsibilities. Examples could be an internal community, groups, or Q&As with experienced security engineers.
Properly align incentives
The Majority of U.S. employees say incentive-based pay motivates them at work. This should not be surprising, as work isn’t the only thing we value in our lives.
It’s well-established that incentive-based pay motivates employees. Harvard Business School released a study reinforcing this idea – Do Bonuses Enhance Sales Productivity? A Dynamic Structural Analysis of Bonus-Based Compensation Plans. Organizations should leverage this insight to align their incentive structures to promote security-conscious behavior.
This could include:
- Incorporating security metrics into performance evaluations
- Offering bonuses for identifying and reporting security vulnerabilities
- Recognizing and rewarding employees who go above and beyond in promoting security
- Tying executive compensation to the organization’s overall security posture
Organizations can ensure security becomes a priority at all company levels by properly aligning incentives. Everyone can play their tiny part so that they all add up.
Putting it all together
Transforming security from a mere compliance checkbox to a fundamental part of company culture requires a comprehensive approach. This involves reconsidering organizational structures, investing in education, aligning incentives, and fostering a mindset where security is everyone’s responsibility.
This transformation won’t happen overnight. It demands sustained effort, commitment from leadership, and patience. However, the benefits – including improved resilience against threats, enhanced customer trust, and potentially significant cost savings from avoided breaches – make this journey worthwhile.
In an era where digital assets are often a company’s most valuable resources, treating security as a cultural imperative rather than a necessary evil is not just smart – it’s essential for long-term success and sustainability.
About the Author
Manish Sinha is an accomplished Software Engineer currently working at Meta. He specializes in Security and Performance, including the intersection of the two. With over 13 years of industry experience, he has previously worked at Amazon and Microsoft, gaining extensive experience and handling significant software and services used by millions daily. At Amazon, he was the company’s security certifier, reviewing and approving many applications that handled critical customer data.
Manish Sinha can be reached online at [email protected] and https://www.linkedin.com/in/manishsinha27/ and at his website https://manishsinha.me.
