Secure Technology, Necessary; Secure Mindset, Priceless

Cybersecurity emerged as one of the most serious issues of 2016. The largest-ever distributed denial of service (DDoS) attack took down thousands of websites, more than one billion Yahoo users learned that their personal information had been compromised, and the U.S. election was hacked by a foreign power. Despite the country’s best and brightest security minds’ efforts, these attacks are not over. Cybersecurity will remain a significant national and corporate threat for years to come.

Organizations often respond to a cybersecurity breach with new investments in security technology, or a thorough review of security policies and processes, or even by replacing the CISO. But you can invest in great people, technology, and processes and still wind up with security problems.

Why? Because you haven’t addressed the cultural aspects of security.

Most people tend to focus on their own jobs, thinking security will be taken care of by someone else. Their success is measured by how fast they brought a product to market, or launched an ad campaign, or improved factory productivity. So, if their job title doesn’t include “security,” why would they think about it?

But often, there is a fast way to do things, and there’s a secure way to do things that may not be quite as fast, or quite as visible. The key to ensuring a high level of cybersecurity is to build security awareness into every job, every role, and to give people a reason to choose the more secure path.

That’s why I have initiated a very broad-based effort to change culture and mindset at Uptake, to build security into everything we do. The “Uptake Security Manifesto” is part of this initiative, inspired by Rugged Software’s “Rugged Manifesto,” which highlights the responsibility of developers to embed security into every line of code they write. These documents are not about processes or policies; they are about mindset. They are about a culture in which everyone shares responsibility for secure products, secure communications, a secure environment. They are about building a culture in which people think about how the things they do may impact the larger purpose of the company.

Of course, it takes more than a “Manifesto” on everyone’s desk to build a culture of security. It needs to be repeated and integrated into all we do. I have taken this message to employees at all-hands meetings, and I talk with every group of new hires about our shared ownership of security. And I am fortunate to have company leadership who supports security as a top priority.

It is starting to make a huge difference. Every week, employees come to me with concerns about something they’ve seen, or the security implications around something they are doing. Just recently, someone messaged me from a plane to ask about an error message they had received about the airline’s Wi-Fi service. It’s this kind of awareness that ensures world-class security.

You can buy the best security technology, but you can’t buy this kind of culture. You have to build it, one employee at a time.

Nick Percoco is Uptake’s CISO.
Security Mani