A strong security culture is easy to talk about but hard to achieve. Making sure your tech stack and your processes support your people is a critical first step.
A strong culture of security is a critical aspect of a strong security posture–but fostering that culture in practice can be difficult. For one thing, it’s one of those things whose urgency doesn’t match its importance: it’s not a blinking red light or an impending compliance failure.
It’s also very easy for the development of security culture to turn into a superficial box-checking exercise. A weekly email from the CISO. A monthly training video followed by a handful of blindingly-obvious questions. A weekly reminder in all hands that security is everyone’s responsibility.
These often generate eye rolls more often than improvements in security culture. Culture can’t be created with superficial enhancements. A strong security culture is operational: it is demonstrated by leadership and it permeates everything from the tech stack to the policies to the day-to-day processes. It empowers the entire organization to be an effective piece of the security apparatus without slowing people down.
And achieving that is hard… if you don’t know how to start.
Tools aren’t enough
We’ve all seen the eye-chart security market diagrams, where thousands of vendors are represented by a microscopic logo on a sprawling sea of security tools. If security could be “solved” with tools alone, cybercrime would be a thing of the past.
Not only are there plenty of security tools, but most of them are good or great at what they do. The reasons best-in-breed point solutions don’t always meet expectations often aren’t technical shortcomings, but rather because they don’t address cultural realities.
"The 'aha moment' came when we realized Material Security wasn't just a technical product, but a cultural one. By design it reinforces good security culture and collaboration." - Joel Larish, Chief Product & Technology Officer, Stake
Throw a dart at a list of vulnerability management vendors and you’re likely to hit one that will do a stellar job of detecting and flagging the gaps in whatever environment it’s scanning. But does it convince your leadership to dedicate resources and headcount? Does it help your engineers prioritize and fix those vulnerabilities? Does it bridge the gap between security and IT to ensure the fixes are put in place effectively and with minimal effort?
Likewise, pick an email security provider at random, and chances are it will catch the overwhelming majority of incoming threats. But it won’t alter human nature, and it won’t change the fact that we all make mistakes. All it takes for a breach is one distracted person clicking a link in the inevitable tiny percentage of phishing attacks to make it through.
"We’ve been able to use Material to scale out our operations. Being able to use our employees as a way of defending against phishing was really attractive to me." - Dev Akhawe, Head of Security, Figma
All this is not said to condemn security tools. But it’s simply not enough to be good at solving a problem in isolation. To be effective, tools need to fit into and advance the company’s security culture.
To do that, they need to be intuitive and easy to use. They need to integrate broadly across the tech stack on the front and back ends, and fit within the existing workflows. They not only need to remove friction for the security teams using them and for the end users being protected by them. And wherever possible, they need to view those users as potential contributors to hardening security posture, not simply potential breaches waiting to happen.
Grease the skids, don’t introduce obstacles
When security tools complicate existing processes or introduce new, cumbersome steps, they inadvertently encourage workarounds, undermining the very protection they aim to put in place.
Everyone, no matter their seniority or role, is under pressure to get as much done as possible in as little time as possible. And we all naturally seek the path of least resistance. If a security measure impedes our ability to complete tasks efficiently, we are likely to find ways around it– sometimes even unintentionally.
Security solutions need to seamlessly fit into daily operations, becoming almost invisible to the end user. The most effective tools are those that protect without disrupting, allowing employees to work securely without conscious effort or added steps.
“The Material solution was easy to deploy and is a win-win for both our employees and the security team. It provides a frictionless way to protect our sensitive data and accounts from being compromised.” - Rama Karamsetty, VP of Engineering, MyFitnessPal
When security solutions work with your users rather than against them, they benefit everybody. The security team gets more effective safeguards of their email, files, and accounts, and employees are protected without being slowed down. This seamless integration fosters a positive security culture where protection is perceived as an enabler and not an obstacle–if it’s perceived at all.
Protect your tech stack from the inside out
A key aspect of reducing friction and fostering a robust security culture is the seamless integration of security tools with an organization's existing technology stack. This obviously ties back to the earlier point: when security tools are well-integrated, they become a natural part of the user's workflow rather than a hindrance.
Operationally reinforcing security as a functional part of the routine–not the department of “no”–helps foster a positive security culture where employees are more likely to be engaged and proactive about security.
It’s not about just adding another layer of security, but rather building security into the fabric of the tools that employees use every day. Making use of the APIs and connectors available in the existing tech stack to create a cohesive security solution that connects the dots. Effectively doing so allows organizations to enhance their security culture and improve their overall resilience against threats.
“One of the things I appreciate about Material is the integration with tools that people are already using. We don’t have to give users an extra login or tell them to validate through an additional service–it really just works with everything.” - Lisa Hall, CISO, Safebase
Instead of seeing security as a set of rules and restrictions imposed by a separate department, they begin to view it as a shared responsibility. This shift in mindset is vital for building the strong human firewall that is often the first line of defense against cyberattacks.
When security is an integral but unobtrusive part of their daily tasks, employees are more likely to be vigilant and report suspicious activity, thus strengthening the organization's security posture from within.
Building a culture takes time - but it’s worth it.
Security culture isn't built overnight. Even with the right people, processes, and technology in place, it takes time and requires consistent effort. However, while fully embedding security consciousness across an organization doesn’t happen overnight, teams can implement strategies to see progress swiftly.
Prioritizing user-centric security tools that seamlessly integrate into existing workflows and tools, leading by example, and enabling users to be contributors can help any organization cultivate a strong security culture that’s more than skin deep.
To see how Material Security helps improve security culture with seamless, effective security operations, contact us today.