How to Build a Culture of Security

5 Ways Growing Companies Can Incorporate Security into Their Culture and Products

Deciding where to start when it comes to security can be a challenge for growing companies.

To help ease the pain, the Federal Trade Commission earlier this month hosted a conference focused on providing startups with practical tips and strategies for implementing effective data security (we were there!). The conference brought together industry experts including software engineers, academics, and lawyers (not to mention a session on making a business case for security, featuring TUNE Chief Privacy Officer Saira Nayak)

Start with Security taught us that, while nothing can truly replace a professionally developed security program that is finely tuned to the risks your company is facing, there are many free or low-cost resources available to help you start developing a security program now — in a way that also engages your employees to help you reduce the risks from unauthorized access, or breach, of your valuable customer and corporate data.

As someone who spent the last 10 years engineering products with companies ranging in size from startup to enterprise, I found the content and resources offered in this event to be highly relevant. Here are some of my favorite takeaways for companies that need to start building security into their culture and products.

Start with Security

What if you don’t have the budget to hire a security consultancy to analyze your systems and workplace to assess and mitigate security and other risks? Don’t let perfect be the enemy of good!

There are many free resources available to help you build a security program. Start with the FTC, which has published several free resources, including a supplement to this event, Start with Security, a Guide for Business. It provides a good start to help you begin thinking about the security issues that are specific to your business.

Build Security Into Your Pipeline

A terrific, tested, and free resource to bring security into your process and development pipeline is Microsoft’s Security Development Lifecycle framework, which has been adopted by companies of all sizes and stages of growth to improve the security and privacy of their applications.

Along with the SDL framework, Microsoft offers the SDL Threat Modeling Tool that can be used by developers or software architects to identify and mitigate potential security issues earlier in the process, when they are more cost effective to resolve.

Improve Software Security

The Open Web Application Security Project is a worldwide non-profit focused on improving software security; the OWASP Top 10, which highlights the top 10 application security flaws, can provide a quick assessment of where your practices stack against an industry standard. The OWASP 10 includes descriptions of each risk, along with examples of vulnerabilities and attacks, guidance on how to avoid these security risks, and references to related resources. There’s even a Cornucopia card game to help test your knowledge.

Addressing the OWASP Top 10 in your organization can go a long way toward mitigating the vulnerabilities most likely to impact your application. OWASP hosts local chapters in many regions worldwide — which can also provide opportunities for your engineering staff to teach, learn and inspire with others in your community.

Train Your Engineers

For a more structured set of security engineering training tools, a fantastic option is offered by SAFECode, an industry-led global non-profit that is dedicated to identifying and promoting best practices for delivering secure and reliable software, hardware and services. They offer free software security training courses via on-demand webcasts and publish a framework for setting up a corporate security engineering training program which can be used as a supplement to a formal engineering training initiative.

All SAFECode courses are free and published under a Creative Commons license, which means you can integrate these courses into your existing training framework as long as you properly attribute the source.

Make Security Fun

When building security into your culture, it’s important to introduce security risks and best practices in an approachable, engaging way. Using gaming as a tool in your security program is a great way to make security training fun and accessible and build security into your culture in a non-threatening way. One way to gamify security is to incentivize and reward employees who embrace best practices. These incentives can be built into trainings to address security risks such as physical access, social engineering, and software and technology stack vulnerabilities.

Microsoft’s Elevation of Privilege Card Game is an easy way to familiarize engineering teams with threat modeling, a core component of the Microsoft SDL and similar security programs and frameworks. EoP introduces engineers to the STRIDE threat categories (spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege). This game was developed by Microsoft and published under a creative commons license. It is available for free download or purchase.

Measure Your Progress

Once you have addressed training and process in your organization, another opportunity to build security into your products is through static and dynamic analysis tools. Your choice of tools will depend largely on the technology stack you are using, but many free open source tools are available that allow you to perform analysis on your code base to verify that security techniques have been correctly implemented. Such analysis tools are not a panacea, but provide an additional layer of protection in your security program.

Conclusion: Make Security a Priority

Whether you are trying to capture the trust and business of larger customers or trying to prepare for an exit, building a security culture is an asset that needs to be a core part of your long-term growth and business strategy. Making someone responsible for security, and building an organization that is focused on security and data governance is key.  

Winning enterprise business often means providing to your clients that you have the right security practices (and verifying that through detailed security audits and questionnaires).  Having security embedded in your development pipeline from the start makes this audit and investigatory process a lot easier.

As your company matures and acquisition comes into the picture, having a strong security program will help you navigate the diligence process, and make you more attractive to investors.  Another reason to start with security now, not later. You’ll be doing the work you need to forestall the likelihood of something catastrophic like a data breach.  And of course, we all know that in this world of bank and retail breaches, customers prefer organizations that have strong security practices.

Learn all about TUNE data and privacy, including the TUNE data pledge. Like this article? Sign up for our blog digest emails.