Content

Two cups honey, one dash vinegar

Share

As a CSO, setting out to create a culture of security, you must make it easy for people to "do the right thing." I've found that training and persuasion (honey) usually work better than threats (vinegar).

The success of security programs often depends on someone other than the "high priests of security."

Building a security culture is like evangelism – if you convert a sinner, they might encourage other sinners to repent. Before long, the heathens are converts and you can put the honey, and the vinegar, away.

The Honey

Several years ago, external security researchers targeted one of Oracle's networking protocols. A developer in that team proudly reported that he fixed an externally reported buffer overflow (caused by ^A), only to be told by my team that he needed to make sure that he accounted for ^B, ^C, and so on. "But nobody would ever do that, would they?" he asked.

We convinced him that the researcher would likely be back soon with all the different ^ variants. After further discussions, including "see what I can do" demos by my internal hacking team, the developer was convinced that he needed to assume a hostile, not benign, environment. Once converted, he became a source of enlightenment for his organization.

Truth be told, he is sometimes now tougher on other developers than my assurance team is.

It proved to be well worth the effort we spent convincing him that these vulnerabilities were not theoretical, but posed real consequences, especially as he created true believers out of his team.

The Vinegar

The corollary to my mother's folk wisdom is: "But sometimes you need to break out the fly swatter and mash the little &^%$s."

I send my security bug wranglers to product development staff meetings each week. At one meeting, they were heckled by a few developers who complained that it was unreasonable to check related files for similar problems after fixing a security bug.

I felt duty-bound in the next meeting to point out how much one of our customers said they would need to spend to patch every server (millions), and when I sent my team in to share their expertise I expected them to be treated with respect. Solved.

In my experience, most people will do the right thing in security if you teach them what it is, make it easy for them to do, reward the good behavior, and punish the bad.

Honey works best – nine times out of ten.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.