Create security culture to boost cyber defences, says Troy Hunt

Security suffers when there is tension between software developers and security professionals, but it is common in many organisations, says world-renowned security blogger and trainer

Creating a security culture can ease tensions between developers and security professionals and raise an organisation’s cyber defence capability, according to Troy Hunt, Pluralsight author and security expert.

“Security must be top of mind for all technology professionals in an organisation, not just the designated security team,” he told Computer Weekly.

“With a new hack or breach happening almost daily, organisations must develop the skills required to safeguard and manage against security threats by making security the norm rather than the exception.”

But organisations typically struggle to make cyber security front of mind for everyone so that it is becomes a pervasive organisational behaviour, said Hunt.

“Even organisations that are security aware enough to be training employees on various related topics do not necessarily know how to make those hard skills part of the organisation’s culture,” he said.

This realisation, he said, led to the development of a course on creating a security-centric culture for Pluralsight, an enterprise technology learning platform company.

The course is aimed at helping technology professionals and management understand how to embed a culture of security in their organisations, said Hunt.

Part of the problem, he said, is that many organisations’ development and security teams tend to work in separate silos.

Typically, development groups build the software before it is passed to the security team, but this creates a divide between these groups.

Developers tend to be scared of the security people, said Hunt, because the security people can stop software projects from going live if any critical security vulnerabilities are identified in the software code.  

“As a result, there is often tension between these two groups,” he said. “I do about 20 workshops a year at banks, e-commerce companies and the like, and I see this friction over and over again.”

Read more about security-centric corporate culture

The first thing to bear in mind when it comes to security training is the audience, said Hunt. “Often security teams do the training, but use terms and tools that are unfamiliar to developers,” he said.

“So key to creating a security-centric culture is ensuring these groups work together, and also understanding that developers and IT pros work in a different way to security pros.”

Another important thing to note is that developers often do not understand why they are writing code resilient to SQL injection, for example, said Hunt.

“Often, they haven’t seen it go wrong. But when they see something like sqlmap [a SQL injection and database takeover tool] pointed at their application and all the data ripped out of the system, then they go ‘OK, I see the problem. Maybe we should change the way we write code’. So showing and not just telling is really important,” he said.

Another useful way to move organisations, and the individuals within them, away from a hypothetical approach to security is to refer to industry precedents, said Hunt.

“Highlight what has happened to drive security thinking and approaches. For example, good security practice is to load login pages over HTTPS, and that is because Facebook was hit by man-in-the-middle attacks in 2011 by the Tunisian government,” he said.

“The government wanted to collect the logins of Facebook users, and because Facebook was loading logins over HTTP, the Tunisian government was able to use key loggers to syphon off credentials, and that is a really good precedent of why we need to follow best practice for login pages.”

Security champions

Many security-aware organisations aiming to create a security-centric culture nominate “security champions” within various teams throughout the organisation.

“So someone in the team responsible for software delivery, for example, is nominated as a security champion because they are interested in it or are doing a good job of security,” said Hunt.

Typically, these security champions are given extra security training and the opportunity to attend security conferences. They may even be given additional security-related KPIs (key performance indicators) and incentives.

In addition to regular security training for everyone in the organisation, Hunt recommends the introduction of internal bug bounty programmes.

“This gets people within the organisation looking for vulnerabilities, and some organisations gamify the process and make it competitive and fun to do, but with an internal, trusted audience,” he said.

Making sure that security is something that is lived from the top down is another key part of creating a security-centric culture, said Hunt.

“If the top executives are not leading by example, it is extremely difficult to create a security culture,” he said, referring to the revelation by UK MP Nadine Dorries in December that her staff had access to her computer password.

“What sort of message does that send?” he said. “Instead, we want to see leaders demonstrating that information security is important. While they may have a business objective of their staff being able to answer emails on their behalf, we want to see them going to IT to find a secure way of doing that, such as delegated access.

“We have got to see the right examples set at the top. They need to be seen to be following and supporting security policies and best practices. They need to live the behaviour that they expect from everyone else in the organisation.”

Read more on Hackers and cybercrime prevention