Culture of Security
Creating a Culture of Security
Annop Siritikul, Enterprise Sales Manager, Amazon Web Services (AWS)
Security has evolved from the sole responsibility of one team to that of the entire organisation. It must become a part of an organisation’s culture with every employee embracing security and using it as a positive framework for behaviour, building technology, and decision-making. After all, an optimistic, proactive, approach is vital to build an organisation where security enables the whole business to move faster and stay safe.
Creating a culture of security is the future, but what does it look like in practice and how can organizations ensure they are following effective guiding principles to keep them on track? What can you do today to promote a positive security culture?
What does a culture of security look like?
A positive security culture is one where the security team works collaboratively with the rest of the business. If we assume that people want to do the right thing then we should make the secure option the easiest option. This goes beyond looking at the technology, to looking at the people who use it, and the organisation’s culture.
Traditionally organisations treated security as a gate to pass or something that was bolted on at the end of a project. It was the responsibility of people with security in their job title. By contrast, successful businesses think of security and resilience positively, as fundamental to a company’s culture, and as a concern for all enterprise executives, managers, and employees. This approach ensures security is central to all daily business processes, increasing resilience and improving the organisation’s ability to respond if there is an issue.
To create a culture of security, businesses must follow ten key principles, five of which we will outline in this blog:
1. Education: This means keeping your workforce skilled up on the available technology, seeking advice from security specialists, and working to understand security policies and rules. Doing so maximizes every employees’ ability to be the first line of defence in their company’s security programme, cutting down the chance of simple errors that could result in a security issue. It also includes setting the expectations for the whole business, be it security configuration that should be implemented by application developers or the patching responsibilities of product owners.
2. Hygiene: good security hygiene is vital to preventing basic mistakes turning into security threats. As such, employees must understand the dangers of poor security practices, such as sharing user accounts and passwords. Meanwhile, businesses need to ensure the access systems they have in place facilitate secure practices. For instance, AWS services offer temporary credentials that can last minutes or hours, after which they will no longer allow system access. This tightens control over service access, reducing the likelihood of unintended access to business data.
3. Learning from issues in a no-blame way: there will always be issues with humans and the software they build. The important thing to do is learn from the issues and take action. Creating a culture where root cause analysis is done objectively and without blame helps create the ability for an organisation to learn. Don’t ask whether the person made a mistake, but instead ask what could be done to ensure that the right choice is made next time. You also want to have a culture where people are comfortable raising security issues because they know they will be supported by the security team.
4. Meet your people where they are: working with your developers will help you understand the processes they go through to build and release software. This will help security to understand where they can enable developers to make good security choices, or inherit capability so they can focus on business logic. For example integrating your cloud platform with your corporate identity provider and making sure that developers can create permissions within understood guardrails helps remove security as a gate. Providing automated checks that run in pipelines can give early feedback to developers to help them build to the desired security posture.
5. Metrics and monitoring: being able to measure your security posture and give people access to data is good way of communicating and understanding where the high performing parts of your organisation are. If you can identify teams doing well or building innovative solutions you can expand their use across the business. Telling people what they are being measured against and giving them tracking tools promotes a culture of ownership which reinforces the positive security approach.
A culture of security will significantly improve an organisation’s’ security posture by becoming the framework through which all employees behave, build technology, and make decisions. However, for it to be a success, companies need to take a structured approach to introducing the framework. A culture of security is based on education, hygiene, threat modelling, and all employees working together as a unified team. Do this and your organisation will improve its security posture, set you above the competition, and keep your data safe. Look out for more tips on building a culture of security to come.
At AWS, security is our top priority and we believe it is critical for customers to understand the best practices in using cloud technology securely. We have a world-class team of security experts monitoring our systems 24/7 to protect customer content. With AWS, customers own and control their data, including where it is stored, how it is stored, and who has access. AWS works closely with customers in Thailand to optimize their security posture, starting from educating customers on the shared responsibility model of security. AWS is responsible for protecting the infrastructure that runs all the services offered on AWS Cloud. Customers are responsible for managing their data (including encryption options), classifying their assets, and using Identity Access Management tools to apply the appropriate permissions. The AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance in the cloud. These will help customers in Thailand meet their obligations under The Personal Data Protection Act B.E. 2562 (2019) (PDPA).
About Amazon Web Services
For over 15 years, Amazon Web Services has been the world’s most comprehensive and broadly adopted cloud offering. AWS has been continually expanding its services to support virtually any cloud workload, and it now has more than 200 fully featured services for compute, storage, databases, networking, analytics, machine learning and artificial intelligence (AI), Internet of Things (IoT), mobile, security, hybrid, virtual and augmented reality (VR and AR), media, and application development, deployment, and management from 81 Availability Zones within 25 geographic regions, with announced plans for 21 more Availability Zones and seven more AWS Regions in Australia, India, Indonesia, Israel, Spain, Switzerland, and the United Arab Emirates. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—trust AWS to power their infrastructure, become more agile, and lower costs. To learn more about AWS, visit aws.amazon.com.
For media inquiries, please contact:
Saiwaroon Tiranonrungrueng, AWS PR, ASEAN | email@example.com
Jidapa Parry, TQPR (Thailand) Co., Ltd. | firstname.lastname@example.org | 02-260-5820 ext. 113