Anecdotal studies have shown that the following five factors contribute to your organization's security. How many describe your team?
5. Executive ownership: Sponsorship and ownership differ dramatically. Effective security is a cultural choice, and teams that experience executive ownership of security succeed because the executive is not just involved as a sponsor, but is also committed as an owner. A sponsor cheers from the sidelines, while an owner takes the ball over the line.
4. Consult, collaborate and cooperate: No single organization can do it all, especially in IT. Many teams are too focused on delivery, moving too fast and responding to too many market or business pressures. Having a consultative attitude when working with the security team opens the door to advice, support and sometimes even staff. Being open to help means help will come. Confucius might have once said, "An open hand works both ways -- it gives, but it also receives" (and if he didn't, he should have).
3. Attitude of continuous improvement: Good enough is not good enough in a security-conscious organization. Focusing on a compliance bar develops a reactive security program. By continually pushing beyond "good enough," companies build proactive security programs that cost less and provide more value than reactive, compliant programs. Instead of a major retooling when regulatory or industry compliance frameworks change, the proactive team security program adapts quickly. Think of Bradley Wiggins (winner of the 2012 Tour de France). Two years earlier, he was a dedicated track cyclist with three world championships. Now he's the first Brit to win the event, and he did it in only a few years of training.
2. Process has its place: Developers love Agile because it doesn't feel heavy-handed, but Agile is a process (just don't tell the development team). That's the key to Agile's popularity -- and to its success. It has just enough process to be effective and efficient. Security comes with its own process, and successful teams are committed to implementing effective processes, even when they may seem unimportant or don't obviously contribute to the team's vision. All-star basketball players may sink the winning shot at the buzzer on Friday night, but Monday morning they're back in the gym practicing free throws, because they know the little things contribute to the big wins.
1. Security is a choice: Internal commitment plays a significantly larger role in effective security than external compliance. This is because, after all of the administrative and technical controls are purchased, installed, configured or published, it's still people who make or break your security. Developing a culture of security is very different from developing a culture of compliance, and it pays off in spades. Going through the motions might get a racing team to Indianapolis, but commitment to excellence is required to beat the competition.