Usually when we talk about information security, we're talking about the mechanics of how things work. The attacker broke into a system due to a reused password, there was SQL injection because queries weren't parameterised or the company got ransomware'd because they didn't patch their things. These are all good discussions - essential discussions - but there's a broader and perhaps even more important one that we need to have and that's about the security culture within organisations.
This is something that's been on my mind for a while, but it really hit me back in September when I was over in Salt Lake City for Pluralsight's LIVE conference. I did a bunch of customer meetings which essentially meant saying g'day to various enterprises learning through Pluralsight and hearing about the things that were important to them when it comes to security education. Without exception, every single one of them asked the same question: "How do we create a culture of security within the organisation?"
What these companies were really asking for was how to make all the other great "brass tacks" education really stick. They could set their people on a learning path that involved absorbing a whole heap of great technical information, but they wanted to go beyond that, they wanted to change the cultural perception of security. A great example of this is that many of the folks in development teams that have been doing traditional security training may well have learned that they should serve content over an encrypted HTTPS connection, but have never actually attempted a man in the middle attack. They've learned the "how" but have never experience the "why"; they've never actually mounted an attack first hand and seen it in action. Which is why we've made this:
This is a brand new quarterly series we're doing called "Creating a Security-centric Culture". It's really different to a traditional Pluralsight course in that it's video of me rather than just a screen. This was actually inspired by my weekly update videos and we all felt that if I'm going to be talking about culture, a bit more personality would go a long way and that's something that's easier to impart via video. To the earlier point about folks not having experienced a man in the middle attack, I'm holding a WiFi Pineapple here which is an awesome little tool for demonstrating precisely that. I don't use it first-hand in this video, rather I talk about how "showing rather than telling" is a really effective learning strategy.
It's a similar story here:
This is sqlmap and it's an enormously effective SQL injection tool. Don't just teach people to write parameterised queries, give them the opportunity to pillage a system of all its data and then the significance of SQL injection really hits home.
These are a couple of examples out of the module on "Show, Don't Tell" and it's just one part of the 56-minute video. There's also modules on bringing development and security teams together, providing the opportunity for standout team member to become "security champions" and running an internal bug bounty. All of this is designed to help organisations drive towards a more security-centric culture. Here's the especially awesome bit:
The security-centric culture series is freely available to everyone. Forever.
This isn't free as in "give us a credit card then we'll start billing you if you don't cancel it" either. This was really important for those of us working on this initiative because we genuinely feel that a culture shift is what we need to make change happen in this industry; we want to get that message in front of as many people as possible. As part of our drive to do that, the series is intentionally pitched at a level that can be consumed by the CISO on down. We'll be keeping each one under an hour too which makes them easy to consume on the daily commute or over lunch in the office.
We're really proud of what we've created here and the early feedback has been fantastic. We'll be doing another one of these each quarter with each one focusing on different aspects of the security culture within organisations. I hope you enjoy watching this and the others yet to come, Creating a Security-centric Culture is now live on Pluralsight!