Creating a Culture of Security Spreading the Word of IT Security from Top to Bottom
Creating a culture of security within an organization may be on CISOs' wish lists, but it's often hard to educate and spread that message, says Yahoo's Justin Somaini.

Somaini, the Internet media company's chief information security officer, says security officers within organizations often have discussions with top executives in the company regarding security measures, but due to time restraints and other obligations, that message usually doesn't trickle down to the rest of the company.

In a recent poll he personally conducted with some 100 other IT security managers (the survey was conducted independently of Yahoo), Somaini said he was surprised to find that a significant number of CISOs were having active discussions with their CEOs dealing with appropriate levels of security for organizations.

"That's a very strong, positive sign in my mind that there's an ongoing dialogue, a healthy dialogue in regard to what is the correct level of security that we should implement," Somaini says in an interview with GovInfoSecurity.com's Eric Chabrow (transcript below). That's a much better sign than security within an organization just taking a stab at the dark, he says.

In the interview, Somaini:

  • Defines the elements that make up a culture of security in an organization.
  • Describes the responsibility of CISOs in helping create and maintain a culture of security.
  • Explains how to create a society of culture within an organization.

Before joining Yahoo earlier this year, Somaini served as CISO at security provider Symantec for three years. Previously, he worked at authentication provider Verisign as director of information security and Charles Schwab as a managing director and as an IT security facilitator. Drexel University awarded Somaini a bachelor of science degree in managing information systems.

Culture of Society Survey

ERIC CHABROW: First off, what motivated you to conduct the survey?

JUSTIN SOMAINI: I took a look at a lot of the surveys that were out there and saw that they really focused on the threat as opposed to how we manage security within our environments. I really wanted to get an understanding of that particular point and maybe glean off some areas that we could improve upon.

CHABROW: What did you find about a culture of security within various organizations?

SOMAINI: One, that there was a good alignment in regards to the concerns and the understanding at the upper levels of a company. However, that kind of waned as it went down the ranks to the individual contributors. That pretty much aligned with the focus of the tension that most security organizations do by reporting metrics and having one-on-one conversations at the higher levels. But they did not consistently have town halls or public discussions with the company as a whole in regard to what the security issue was or what the plan was to remediate the findings that they have or that they discovered.

CHABROW: Why do you suspect they don't have the town halls and other efforts to communicate with others than the top executives?

SOMAINI: It's a common practice of making sure that the leaders of the company are well informed, understand what the issues are, understand what the progress is and get their buy-in and support in order to drive the initiatives. It's a very key and important piece of how we do our job, which that onto itself takes a lot of time and a lot of effort. I think that the lack of focus on individuals across the company is not a conscious effort to not do that, but more of a byproduct of maybe perhaps lack of time, a comfort and feeling that seems to be if leaders of the company are onboard there's not a significant necessity to go to everybody else in the company. Or it could very well be other means. I think it's not an active thought to not necessarily communicate out to them as much, but merely a byproduct of their actions.

Lack of Communication

CHABROW: And what are the consequences of not communicating to the vast majority of people within an organization?

SOMAINI: As we know, security is as strong as its weakest link. As well as, a good portion of security is the behaviors of individuals within our company as opposed to the technical controls. As a result of not necessarily having that ongoing and active discussion and dialogue with them, we don't really support or create a culture of security across the company and as a result the individual employees throughout the organization have a tendency to either develop or maintain their bad habits that they've always had and as a result perpetuating the insecurity within organizations, whether that is not protecting their personal devices, computers or their phones that they have, sharing passwords, all the way down to development coding practices. Individuals are not focusing on security as part of their function, or their DNA, as they live in their corporate space.

CHABROW: Perhaps this is an obvious question, one maybe I should have asked at the beginning. But how would you define a culture of security?

SOMAINI: That's actually a very difficult thing to answer and it changes. As we look from organization to organization, the definition of what is secure could very well change. However, for me personally I would say that a culture has security, part of the DNA, when they stop, think and then act and they think around the security implications. If there is a tingling of concern or question they reach out. They're very proactive in communicating with the security organization to vet out whatever concern that they have, but the security is not imbedded solely within the information security team but across individuals throughout the company. And almost every individual in the company is actively thinking about what they do on a day-to-day basis and putting security into that context to ensure that it doesn't place the company at risk.

Role of the CISO

CHABROW: Is it the role of the CISO to promote this and be the chief champion of this within the organization, this culture of security, or should it be higher up in the organization?

SOMAINI: No, I actually firmly believe that the head of security, whether they maintain the CISO moniker or not, really serves multiple objectives. One of them is driving a culture of security within the company and that's at all levels. Another one is driving a strategy of security and ensuring that the implementations, products and controls are appropriately in place. Then three is that the ongoing life of the company has an ethicacy or an insurant level that the living, breathing function of the company is constantly re-evaluating its security stance to update that secured strategy. But there is no question about it - the head of security owns and needs to drive the culture of security change.

CHABROW: When you talk about developing this culture, is it more than the security awareness programs you often hear about, the good computer hygiene?

SOMAINI: I believe so. When we give web-based training, it's very good at teaching what, but not necessarily why. And to that point, when we want to have individuals understand why we want to implement security, they have a tendency, a human behavior that we need to reiterate that point multiple times before it's put in. Second, we need metrics and reality examples to substantiate the claims that we're making in which these threats actually exist as to why we are doing this because these attacks actually happen. Let me produce the data and show you. To a great degree, we need to enroll emotionally the individuals across the company into the problem that we see in order to get their support in implementing the control that we want to do. That act alone is significantly greater than what we typically see in these awareness campaigns, which is very much "I'm going to teach you what to do but not necessarily why."

CHABROW: We have a lot of CISOs and other IT security managers listening to this. What would you say are the first few steps they should do to help create this culture?

SOMAINI: The first thing to do is to get with your corporate communications team, as well as HR, talk about the intent and really solicit their help in developing a corporate communication plan. I have done that and it has been invaluable in getting the feedback of people who really focus on how to change behavior and how to change cultures, as opposed to just trying to do it myself and work my way through it. That is probably the most beneficial value, the first act that I can recommend or suggest.

Survey Surprises

CHABROW: When you looked over the survey on culture, did anything surprise you?

SOMAINI: There were a couple of things aside from the focus of our attention as well as the reaction that we get. The first thing that was not greatly surprising, but really substantiated a feeling and impression that I had, is we have a lot of ongoing conversations around the advanced persistent threat, or targeted attacks. But is that something that we are really focusing on or feel that we should focus on from a general perspective as establishing the security level of the company? The feedback was no. When given multiple options as far as malware compliance, state-sponsored attacks, state-sponsored sabotage, corporate espionage and there were a couple of others in there, state-sponsored attacks were at the bottom as opposed to at the top, which were the malware threats, as well as compliance adherence. Those were very much at the top.

Second to that was the conversation of establishing that level of security and is it being done with the executives of the company in providing that solicitation. That surprised me. I did not expect such a significant number of CISOs having an active discussion with their CEOs, or board members for that matter, of what that level should be. That's a very strong, positive sign in my mind that there's an ongoing dialogue, a healthy dialogue in regard to what is the correct level of security that we should implement versus a security organization onto themselves just taking a stab at the dark.

CHABROW: Anything else you'd like to add?

SOMAINI: The feedback that I've gotten really drove home a deep desire for practitioners across the industry to have this conversation, to share this type of information, so that we can all benefit. That is something that was gratifying unto itself in order to say, "I think the industry is getting a lot healthier than we ever have been before." To facilitate discussions like this, to be open and honest about some of these issues that we're having, as well as being open to the feedback and comments of others, is a positive sign that we're moving in the right direction.




Around the Network