This month, CyRise Elevate was joined by guest advisor Marc Bown, CISO and Enterprise Technology Lead at Immutable, a web3 gaming scale up in Australia.
Prior to Immutable, Marc helped found the security teams at Sportsbet, Fitbit and Afterpay. A leader in security, technology and engineering, Marc is passionate about building empowered, high-performing teams.
He believes that “good security is as much about culture as it is technology” – so we asked him to elaborate!
What do you consider to be an effective security culture?
“Good security requires a company to have three things – the knowledge, ability, and will to do the things that will protect it. The last one – the will – is often the problem.
Companies with a good security culture are willing to invest in security. That investment might come in the form of spending time on training staff, or being willing to make hard tradeoffs, like choosing security over a new feature that might grow market share.
You can also use company culture to move the needle on security. No-one – except us – gets up in the morning excited to deal with a security problem. It’s our job to persuade the company into doing the right thing – and our tool for doing that is culture.”
What does good security culture within an organisation look like?
“A really detailed security compliance training pack… that everyone has to do once a year!
Security people often laugh at this, because that’s what security culture looks like for a lot of organisations. In places like this, people only deal with the security team through annual training, or when they’re forced to engage with some process the security team has designed. But a good security culture is built through three key elements:
- Security team branding: That might sound fluffy, but make sure that people know you’re approachable and helpful. Educate them on how to engage with you and delight them each time they choose to do so. Make each interaction more likely to lead to another interaction. Initially those interactions might be human-to-human, but ultimately you can make those interactions scale through automation and self-service.
- Awareness: But not just for awareness’s sake. Yes, help people know what threats are out there – but also give them specific (and reasonable) calls to action on what to do with that information. Telling people “security is important to us” isn’t useful, because people don’t know how to act on it. But giving the prompt, “If you’re building a feature that touches money, we’d love to help you simulate how an adversary will interact with that feature… contact us in our Slack channel!” – that’s specific and actionable.
- Continuous, relatable and specific communication. People need to be hearing from you constantly, in the language they understand. Communications need to be specific to the audience. If you’re talking to engineers – talk like one. And if you’re talking to civilians – don’t make things inaccessible with jargon and technical concepts.”
You talk about the importance of a good security team. How do you build one?
“It’s important the company understands that good security people want to work at places that value their input and implement their suggestions. They want to make an impact.
So in that way, culture is a virtuous cycle: good security culture comes from a good team, which leads to good company-wide security practices, which leads to a happy security team, which leads to more people wanting to join that team.
We hear all the time about the shortage of security skills, but really, it’s a matter of attracting these skills.”
If there is a strong existing company culture, how do you make sure that the security culture you’re trying to implement doesn’t undermine this, or provide mixed messaging?
“It’s always easier to build on something that already exists. So if there’s already a really strong company culture – piggy-back off it! Use the good elements of the company culture and leverage that for security. But if the existing culture happens to be a problem from a security perspective, be transparent about that. Call it out. But bring receipts! You’ve got to be aware of the issues you’ll come up against and show why you need to change.
For example: if people are really used to something, they’re going to doubt that it’s a problem. Bring examples of the problem, and actionable examples about how it needs to change. Measure, and start to regularly reflect people’s performance back to them. If people buy into the need for change, and are regularly shown how they’re doing, they will try to do better.”
This sounds like change management. Any tips for approaching this?
“Empathy! Make a case to people about why they should change. People are more likely to deal with people being a pain in their butt – who bring them inconvenience – if that person is perceived as a friend. Be approachable, be someone they trust and want to work with.”
You’ve also mentioned looking for empathy in your security team hires. Why is empathy so important across the team?
“Empathetic people know how to balance the needs of others with their own.
The security team is always asking people to do something they didn’t plan to do. Almost all of these people have impossible demands in front of them. They are all being asked to do more, faster, and with less. Influencing the right outcomes requires you to first understand someone else’s priorities, how your request impacts them – and how they might feel about what you’re asking them to do.
I also think it’s important to focus on having a diverse team. You need people who don’t look like you. Who you don’t know. So ask around. Diversity fuels empathy.”
Lightning round questions! What are you reading ATM?
“Twitter. And I listen to a lot of podcasts. Risky Business is how I stay up-to-date with work news. When I do read books, it’s usually because I’m being forced to have time off work, and my wife tells me “this is what you’re reading!”. I just read The Premonition by Michael Lewis (author of The Big Short).”
What music do you listen to?
“I listen to Aussie hip hop and American hip hop – but I can’t listen to that when I’m working. I listen to classical music in the background for work.”
Anything else you recommend?
“The Security BSides – they’re a great group of people.”
Thanks Marc for chatting with us at CyRise Elevate!
Connect with Marc: LinkedIn
CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.
If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.