At Black Hat MEA 2022 ,Shobha Jagathpal (India CISO at Morgan Stanley) spoke about the lifecycle of an application – and its risk journey.
One point that really stood out to us is that in order to embed security into every stage of application development, or to encourage the effective adoption of modern security processes within existing applications and businesses, engagement is crucial.
And by engagement, we mean the engagement of entire teams – every department, every division, every profession – with security work.
“As security professionals,” Jagathpal said, “we’ve got to drive a mindset and a culture wherein security is no longer an afterthought.”
And to do that, you’ve got to help everyone care about cybersecurity.
Ideas for engaging everyone in cybersecurity
Jagathpal shared several ideas for getting your whole team involved. They’re not the standard employee awareness strategies – and we think they’re worth considering if you want to build a truly proactive, security-focused culture.
Ask someone in another department to write a security blog seems counterintuitive, right? Surely the security professionals should write all the security blogs? Well; perhaps not. Research shows that writing things down can lead to better learning – so involving professionals from other areas of the business in creating security blog content could help them to understand security challenges and solutions more clearly. It also gives more ownership over the security culture at your organisation to non-security team members – creating the sense that they really are part of the security operations. Rather than just telling them they are, but not really involving them in a meaningful way.
Ask them to lead a workshop session on an in depth topic that relates to security. This is a great way to build bridges between skill sets within an organisation. Ask team members in different departments or work flows to create and lead workshop sessions that cover their area of expertise and related security challenges and solutions. It’ll help everyone see the links between their own work and the organisation’s overall security posture – and will lead to more creative idea generation for your security operations, and interdisciplinary professionals will realise they can apply their skills and experience to security.
Crowdsource security problems within your organisation. “We always think security services should be offered only by security teams,” Jagathpal noted, “they are the experts. And they don’t let anyone else contribute to the inventory of security services that can be consumed.” So she suggested looking at problems from a different perspective – by welcoming ideas from everyone in your organisation . Can you crowdsource specific problems and invite suggestions from other teams; and be open to their ideas? This could bring two major benefits: fresh solutions, and greater engagement.
“Overall, we need to make it easy for the application developers to search and consume and share and walk with us in an integrated fashion,” Jagathpal added.
What’s the outcome of this kind of engagement?
Driving meaningful, proactive engagement like this will help application developers and their security teams meet the demands of business growth, but with security embedded firmly into company culture and app development.
It’ll help security teams gain the confidence and trust of their peers.
And overall, it will help to create a security culture that will drive future resilience – because everyone’s interested in security, everyone understands how they can contribute, and everyone feels involved and responsible for securing every aspect of the business.
“The security team is required to manage risk .They’ve got to be cogniscient to understand where the risk is; what are the things that are bringing down the risk; and then put in measures to help them manage it.”
But security teams are often perceived by others as “offering non-functioning requirements; barriers to speed; [demanding] additional efforts to meet security needs.”
If everyone’s involved in security, those perceptions will change. And when those perceptions change, security teams will be better able to do their job and manage risk effectively – because everyone will be willing and able to help.
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!