I am a programmer, but last year among other things I put on the hat of "security architect" for our area (about a dozen teams). Here I will describe some steps we took to improve our security posture in the area.
Security is a business enabler. I don’t think that I need to spend lines arguing about that. But security is also hard. First of all, there are a lot of things we need to do right. Our software needs to be secure, the environment we run in, the libraries we use, how we deliver software, audit trails, compliance to regulations, the list can go on and on. We can do most of the things right, but if we do not do all of them we are vulnerable. And if our vulnerabilities are exploited, nobody is going to care about what we did right.
Next, is awareness and know-how. This is a problem for companies big and small. Security is a very wide topic, it has many different sides. The bigger the company, more items come into scope in terms of security. A smaller company probably has less resources to dedicate for security. In any case it takes effort to keep track of all the processes, regulations and policies. If we know them, they are often open to interpretation, and when interpreted we need to know what applies to us. And then, even if teams are aware, in many cases they do not know where or how to start.
And the matter of starting brings the topic of priorities. We have to do all the security work while staying competitive, innovative and driving down costs. It is difficult to balance and security usually lacks priority. The lack of priority is often due to misguided views. Views like, “we are secure”, “it will never happen”, “you built it to be secure right?” and “someone from security takes care of this”.
These are things that ring true for most organizations and some of them apply to us as well. So in the beginning of the year, we asked ourselves: how to achieve great compliance and naturally improve our security posture, acknowledging difficulties as the ones mentioned above? Our initiative, compliance shots! The idea is simple, each compliance shot is composed of:
Explanation of what we had to do in 2-3 sentences
A reference to the policy that brings the given requirement
A tutorial or guide on how to do it
A related story, to make it visible, introduce it to POs and keep track of the progress
We did a lot of these shots, and it worked remarkably well! I cannot get into details of course, but what I can do, is give a couple of closing remarks. You need allies in your quest to an improved security posture, because it is certain you will meet resistance. One or two people buying into your vision can help move the others. Also, good potential allies are people who are going to look good with the results of the initiative. Find them! Next advice is to have empathy and try to understand the reasons behind the resistance. In our case, some POs were glad that they had others letting them know of all the (security) things they have to do with explanations and tutorials. It makes their work easier. Others felt frustrated because new things were added, competing for attention with the features they want to deliver or the pressing deadlines they have to meet. You have to understand where they are coming from and only then you can motivate them to come your way.
But this is just the start. There are more initiatives in motion and they may be inspiration for another post.