Creating a Culture of Security

It’s no longer sufficient to leave security to a team of specialists who watch over the enterprise’s risk posture and control it through a set of constraining policies. It’s not enough to guard the boundaries of the enterprise’s network with firewalls, or to simply implement sets of controls specified in a compliance framework. Security has become everyone’s job, and its management has become a strategic concern of the enterprise. The way forward is for the enterprise to build a culture of security, an awareness of risks and controls, and a set of norms and practices that align with keeping the enterprise secure.

It’s traditional at this point in an article on security to tell frightening stories of companies humbled in the face of the vulnerabilities that they left to be exploited by bad actors. I’ll abstain. We are all well aware of these threats already. More importantly, we must get used to thinking of security as a positive thing, a way of building, acting, and making decisions that’s just something we do, naturally, as builders and enterprise executives. We must treat security as part of our culture, rather than reactively responding to specific threats as they’re encountered.

As soon as an enterprise deploys an IT capability, innumerable attempts will be made to hack it. But the threats to our systems come not only from bad actors. IT systems can also be defeated by bad data, unexpected surges in usage, untested edge cases involving concurrent operations, cascading failures, and speed issues that multiply geometrically. In order for our systems to securely perform their jobs, they must also be scalable, resilient, available, well-tested, performant, and tolerant of failures and unexpected inputs.



Request Free!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.