Who knew that cybersecurity was not about sticking a firewall on the edges of the corporate network? Well it is, but if that’s all you’re doing, you’re already in trouble.
At the Amazon Web Services (AWS) annual cybersecurity conference, re:Inforce, held in Philadelphia this year, a constant refrain was that cybersecurity is as much about corporate culture as it is about technology.
Chris Betz, who joined AWS as chief information security officer last year from Capital One, where he played the same role, told a media briefing that what struck him when he joined the company was the systems and processes it used to deliberately invest in culture.
“It’s not just about having a strong security culture; it’s about having the systems and processes to deliberately invest in and nurture that culture,” he said.
“It starts with people who make it their intention, and that starts with our CEOs, whether it was Andy Jassy, Adam Selipsky, and now Matt Garman. All of them have been super clear about security being their top priority. And so that’s incredibly powerful for having the right culture. How the company has developed mechanisms, processes, and systems that help reinforce that throughout the organisation is really impressive.
“I think many companies have really strong security cultures, and I know there are things we can continue to invest in across every company. But what struck me at AWS was the unique thoughtfulness, the maturity in building and maintaining a culture here was on the next level.”
Betz was not so much blowing his AWS trumpet as emphasising what it takes for large enterprises to embrace a security culture.
He offered a clear roadmap for any organisation where leaders felt they did not have that culture.
“Part of my job as a security leader of any company is to engage deeply with the business leaders, with the board, with the responsible entities, to make sure that the direction I’m headed in is aligned with the direction they want to go and convince and help convince them if needed. I haven’t had to do much of that. Getting that organisational alignment is really important.
“But that’s not enough. We all know that company leaders can only be in so many places. And so, step two for me is looking at, how do you have security ownership across the organisation? How do you enable those business leaders to hold every layer of the organisation accountable for security and feel the ownership? That is the second part of establishing a culture: the deep ownership.”
Even that is not enough, however.
“It’s great if (leaders) feel ownership, but you’ve got to have the right expertise in the right places at the right time. When you’re able to get security thinking very early in an engineering or development process, you can get as close as possible to seamless security. When you try to put on security at the end, that is a really, really rough experience.”
Is that enough? Yes, from a pure security point of view. But there are still several elements that feed into the culture of security in an organisation.
“The last piece of security culture is in celebrating the successes and in holding that accountability throughout the organisation. It’s important to recognise and celebrate when things go right and ensure that accountability is maintained across all levels. This helps reinforce the importance of security and encourages everyone to keep up the good work.”
“When at every level of the organisation, people feel deep ownership and responsibility, putting out a high-quality solution includes customers’ ability to trust it and its ability to be secure. Personal ownership at every level in the organisation is probably the most important characteristic that drives a culture of security.”
* Arthur Goldstuck is CEO of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on social media on @art2gee.