In this episode of On Location, Sean Martin sits down with Ida Hameete at the OWASP Global AppSec Conference to explore how fostering a security culture within organizations can drive both security and business success. Discover practical insights on aligning security practices with company values and gaining executive buy-in for seamless integration of security into your organizational strategy.
Guest:
Ida Hameete, Application Security Consultant, Zenrosi
On LinkedIn | https://www.linkedin.com/in/idahameete/
____________________________
Host:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
____________________________
Episode Notes
Join Sean Martin in this episode of "On Location" as he speaks with Ida Hameete at the OWASP Global AppSec Conference in Lisbon. Sean and Ida dive into the critical topic of creating a robust security culture within organizations. The conversation begins with an overview of the conference, emphasizing the importance of building secure applications that protect both users and businesses.
Ida, with her extensive background in product ownership and security strategy, shares her unique perspective on why a security culture is integral to an organization's overall success. She explains that fostering a security culture isn't merely about training engineers but involves a collective effort from management and executive teams to prioritize and endorse security practices.
Ida underscores the significance of aligning security culture with company culture, arguing that this alignment leads to smoother operations and fewer security breaches. She elaborates on how companies with strong security awareness often use their secure products as a marketing tool to differentiate themselves in the marketplace. This strategic approach not only enhances product safety but also provides a competitive edge.
The discussion also touches on the common issues where management's lack of understanding or support for security measures can hinder effective implementation. Sean and Ida explore how management's commitment to security, demonstrated through adequate resource allocation and strategic planning, can drive a positive security culture through the entire organization.
Ida provides practical examples from her experience, illustrating how purpose-driven business cultures can naturally incorporate security into their core values, benefiting both employees and customers. She highlights that a well-integrated security culture can lead to better workflows, reduced costs, and enhanced customer experiences.
Towards the end of their conversation, Ida reflects on the necessity of communicating the business value of security to upper management, suggesting that this approach can shift the perception of security from a fear-driven mandate to a valuable business asset. She encourages leaders to find their company's purpose and align security practices with that mission to achieve sustainable success.
Listeners are invited to attend Ida's session, "Winning Buy-In: Mastering the Art of Communicating Security to Management" at the conference, which promises to offer deeper insights into securing executive support for security initiatives.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugal
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTzdBL4GGWZ_x-B1ifPIIBV
Be sure to share and subscribe!
____________________________
Resources
Learn more about OWASP AppSec Global Lisbon 2024: https://lisbon.globalappsec.org/
Ida's Session: https://owaspglobalappseclisbon2024.sched.com/event/1VdB4/winning-buy-in-mastering-the-art-of-communicating-security-to-management
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And here we are. You're very welcome to a new OnLocation with Sean Martin. I'm here in Lisbon for the OWASP Global AppSec Conference. And, uh, yeah, we're talking about all things AppSec and secure developments and yeah, basic building apps that, that take, take care of protecting the user and the business from all the bad stuff that can happen.
And, uh, that doesn't just happen by sticking an engineer in a room and getting him. Getting them trained up on what it means to build a secure app. Their management team has to guide them and get approval from the executive team. And that takes, uh, some work to do. So I'm thrilled to have Ida Hamida with me.
Ida, how are you?
Ida Hameete: Hi, I'm good. Thank you for being here.
Sean Martin: And, uh, thanks for joining me. We're, we're enjoying, uh, the, the city. But more importantly, we're enjoying No, maybe not more importantly. It's fun to enjoy the city. But we get to meet some cool people. [00:01:00] Yeah. Have some good conversations. So I, I know you're here for a bit, anything, uh, strike you from, from your time here thus far?
Ida Hameete: Um, meeting so many people who are interested in security and really want to do a good job and make the world more secure. That's great.
Sean Martin: Yep. Yep. I agree. I've had some good conversations as well. We'll, we'll see how much of that comes to bear before we get into, uh, the topic, which is, uh, your talk here at this, at the conference.
Maybe a few words about what you do, your role, and what you're up to at the moment.
Ida Hameete: Um, I'm coming from a product ownership, so I have 15 years of experience in software. Uh, but I'm not a developer. That's, for me, it's an important thing because I have a different view on things. I'm since two years in security and, uh, do security strategy.
strategy consulting, but especially culture consulting. So you would [00:02:00] say, okay, why do you need culture consulting? But yes, there's company culture and security culture is an important part of it. And when you want to make security strategy work, so really work, you need a security culture. So in my experience, it also, um, came out that when you do have a good security culture in your company, um, together with a good company culture, uh, because you also need this, then it just runs, it just flows.
It's just there. You have this idea for the new strategy and the people. are on the same strings, they pull the same ideas, and it, it, it works. Well, when you have not this culture, they work against it, there are delays, there are people just forgetting it to do, or just dealing, even are dealing against it.
So, you will not have so much more security as you [00:03:00] wanted. You will not have the, the, uh, Beneficials that management want out of it and all this stuff and you will not have secure products I mean for your customers So everything kind of flows when you have this security culture and a lot of things become more and more and more difficult When you don't have it
Sean Martin: so I think so we This idea is not necessarily New the idea of security culture.
I have a business culture in general, but then security culture But my, my sense is a lot of people approach it from the end user perspective. So a lot of the training is for don't click bad things. Yes. Don't reply, don't, don't do wire transfers, if you think, that kind of stuff. Um, is it, do you, do you feel the same?
That, that the, the focus and the priority is usually there? Or do you see, you see an investment, It's an engineering as well.
Ida Hameete: It's very [00:04:00] different. Um, and it really depends on the company. There are companies who do have a really good security culture. Everybody understands that security matters and to, to, to, to work together on security, um, and you will often see them strive, strive, even though they are not a security company, they are just normal companies, but they make their product secure and they can even use it for their marketing, for, you know, product differentiation, everything.
So it flows. But there are enough companies where, um, often the people who are developing, or the architects, say how important it is. So it's mostly not them who don't understand it. They like their subjects. They want to make it more secure. But the biggest problem in the world. Some companies is that management does not understand that even though perhaps they want security, they need to really culture security.
They say just do it, but it is not [00:05:00] just do it because then there is not the money or the resources or the time or the features are more important. You really need to make security matter in your company and then it will flow. So. I think that, um, there is this, we need to do security. Right. But that does not say that you have a security culture.
Right. So, this is missing.
Sean Martin: So, uh, who, who drives that? Um,
Ida Hameete: Uh, in German we have a saying, and this is the, uh, the fish always stinks from the hat. And, I, I love it because it's so plastic. Um, I think that, um, In the most companies, it's not missing at the engineers level. The understanding that you really need the security culture to make it work is missing at the management.
They think, click, just works. But it's more than that. So, yes, I think. Just
Sean Martin: another feature?
Ida Hameete: Yeah, just, yeah, kind of that. And I think [00:06:00] it really, um, the, the change is needed in management. Especially in upper management, because like when you look at the ISO, we all know the ISO 27001. One of the first things you need to make clear is that C level is completely behind this, what you're doing.
But often it's just a paper signed somewhere, perhaps not even read. So it's not that they really understand the value of security and stand behind it and push it. Like other I don't say it's all companies. No, please not. There are enough companies who are really good in that. But there are also enough companies where the management, the upper management, does not understand it yet and does not support it yet.
So this is, um, where I think security cultures come in.
Sean Martin: So let's talk about the under, understanding part. Because I think as an industry, I think we're getting better. But as an industry, we, we present cybersecurity as, um, [00:07:00] magical thing that happens, right? Right? Only, only the smartest people who know how to hack understand what's really going on.
Don't worry about it. Upper management, we have it under control.
Ida Hameete: Yeah, the technical people will do it. Yeah. They, they deal it.
Sean Martin: So, so the, the leadership teams that, that want to check the box, let's, let's do security, quote unquote, do security. Um, how do they arrive at the point of, Making that decision, either is it from a peer, some board member, or some competitor got hacked, or to, because it, in my view, they, they make the decision not knowing what it really means, that, that In
Ida Hameete: my experience, there are two reasons why, why, um, C level people become more, um, conscious of the topic.
This is, somebody else got hacked, or in general, the, [00:08:00] uh, uh, the fear becomes more. But I think this is not the right driver. Right. Because When you do something out of fear, you will not good think good about it. You just want to have it done. But there's another reason. So I, I believe that a good cyber security can be, um, a great value for your marketing.
It can be a great value for your product differentiation. It can be an enormous value to to get new customers, um, especially in business to business. Yeah. Uh, we had some talks about how it helps in RFPs when you have a good security, um, program and you can just. Yes, we have that. We have that. We have that.
And it's a good reason for, for, for people to come to you and be your customer. But that you can do when you have a good security strategy and you have a good security culture and management really understands that. It is a business driver. It really is. There are enough, um, enough studies [00:09:00] where you can see that it has a great return on, on investment.
So just from a financial point. It's smart to do so. I mean, not thinking about anything else, what it can mean for your customers, for your, your, your employees or anything. Just the financial part. Just do it because it's smart to do. And I think we should more have a look. And this is what what I especially do on the positive things, not the fears.
Yes, the fears are there and they are a driver. And when they come to me because of the fears, that's good. But then I talk about them about the values. And what they can do with it. So they have a total different motivation. And I think this is so important why, um, yeah, speaking language of management, they think about the values for their company.
Also to, um, Uh, to make a connection between the purpose of the company and the purpose of why we do security to reach that purpose. And then [00:10:00] you know why you do security. Then you see the financial values. Then you see your marketing, your business values. You see for customers, um, if you, if you're a product guy or girl, yeah, you can also see security.
So much advantages there. You often, when you think from a, from a security perspective and you do it smart, really by security, by design, you often have a easier workflow, less costs, uh, and a better experience for the customer in the end, your end user can have such so much better experience when you do a good security, because you think out of the box and do better security and have better customer experience and.
So there are so many advantages to get out of good security. Good security by design shift left. We all talk about shift left, but it's so important to really start with design. But design starts when management stands behind it [00:11:00]
Sean Martin: and continues to flow all the way through.
Ida Hameete: Yes,
Sean Martin: exactly. So talk to me about some of the language, because having an understanding that Okay, I'm going to work toward the business value.
You actually said We can streamline things be more productive better products That doesn't happen overnight. Yes, so How does how do teams communicate to arrive from nothing to a point where it's actually a benefit? In some of the ways you talked.
Ida Hameete: I think it starts with with the understanding of management and really communicating this in the company.
So all the people who are already interested in security will have the possibility to do it. And that we start with management talk. But then we go into strategies, we go into tactics, and this tactics will go into really things they change in the company. But you don't only change [00:12:00] technique. So it's not just buying some new tools and everything is done.
You, you change a lot about the ways you work, doing, uh, um, security by design, doing threat modeling, all these things, having much more, um, smarter ways to, for example, do permissions things in the company. Also just the, the workflows, not just the tooling. So it, it, it, it comes down when you have this support.
Sean Martin: Are there examples, other parts of the business? I'm thinking HR, big into culture as well, finance, legal, general operations, M& A, business development, pick your favorite department. Are there parts, other parts of the business where culture matters that we can, I'm speaking to business leaders now, right?
Yes. So, you do this already in other parts of the organization, right? How does, how can they picture what they do in those [00:13:00] other parts and attach it to? Okay, take,
Ida Hameete: uh, take HR because, uh, HR for me is something that really profits from a good company culture, a good purpose. Um, you know the talk of Simon Sinek and his book, Why, and he also tells how this can push to have the right People, the right employees already when you have the interviews in HR because you're talking about your, your values, you're talking about your purpose and you see if it resonates with the people.
So having this purpose, having the culture in the company really helps you to find the right people. Uh, to work with you, to stay, to, to, to support the company. So for HR, having a purpose, having a, um, having a good company culture really helps.
Sean Martin: And how, how do you measure?
Ida Hameete: Okay. It depends [00:14:00] on where you whom is asking if you want to.
Um, if, if it's management, we do have a return on investment we want to do. So we do measurements which measure exactly the, uh, parts where we, we expect the return on investment. Yes. Um, so when you are talking about, uh, uh, middle management, probably they want to see how the Security culture evolves what they are.
Their plan is to evolve the culture because that will help the return investment parts. So for them, you have a list to, um, to evaluate. Uh, this is also something I do to develop these, uh, measurements, especially for security culture to find out is the motivation there is the ability there are the triggers.
There is really this, um, Are them really becoming better and better in this whole culture thing? Also hard facts like how many threat [00:15:00] modelings have we done? What's the quality of the threat modelings? What's the outcome? How often did we have to change security things in the end? Perhaps delay product, um, shipping or anything.
So how does that go down? How does security culture go up? How do threat modeling go up? So you have very good measurements to measure security culture and also their outcomes and you have possibilities to measure return on security invest.
Sean Martin: How connected do you find the security culture to business values and business mission and vision.
Ida Hameete: Completely. So there's always a line? Yeah, there must be a line. So there is business value, business mission, vision. Um, this is the start.
Sean Martin: Would the word security be in the vision and vision?
Ida Hameete: Does not have to be. You are a company and you are, [00:16:00] for example, I worked for Epic Systems, a healthcare company, so this is really my mothership, kind of.
Really, it influenced me so much in my life, I can't believe it. I still have to tell Judy how she really influenced my life. And what I'm doing now, Because she has this idea, have the patient in the heart. Really, that when I came there, she was speaking there personally to, to the new people. And she said that we're here to save lives.
And this is her purpose. This is the company purpose to, to really how everything Epic does is really, I believe in my feeling has really much company purpose. But there is not especially written in, we do it secure. I mean, this is just. obvious when you have the patient in the heart, when you want to save lives with the things you're doing, you need to do security because when there are two patient records and they get [00:17:00] across and you get the wrong medication or the system fails and it's just down while somebody is, yeah, it's in surgery, things like that.
It's so when you do have business purpose, And this purpose you want to, to, to, to reach, you need security. So out of business values, out of mission vision of the company comes the need to do security. And then everybody in the company understands why he does security, why he does testing.
Why
do we test it?
things because we don't want that things fail. Um, but that does, it's not only for, um, healthcare companies. It's also when you're working for a big bakery and you have all these machines there. You definitely want to make really good quality bread for, for your customers. This is something that enlightens their day.
Yeah. You have this mission and You need to have the machines do the right combination of stuff. So your [00:18:00] bread is good. So it can enlighten the day of the people and make them do better things. So yes, it comes, it always starts with business values. And this is also why security culture is in somehow very general because it is a security culture, but it is very specific to every company because it had, it comes out of.
The business value, the business needs, the business plans, depending on what the plans of the business are for the next, let's say, year, two years, three years, five years, ten years, you need to do more or less security. You need to make it more here or more there, so security culture comes out of business culture.
Security strategy comes out of business strategy.
Sean Martin: So, as you were speaking there, I was thinking of a question that I thought might be controversial. And then I thought, No, there's a different way to actually frame the question. So the original question I was going to ask was, [00:19:00] if a company has a poor business culture, with very little passion or drive for the customer, all they want to do is build stuff and sell stuff, would that then result in a crappy security culture?
So the reframing of the question is, Can a good security culture prompt executive teams to rethink their purpose as a business, perhaps? So I'm thinking of the healthcare one. I mean, it's easy to, easy to wrap your head around and your mind and your heart around protecting people. Yeah. And maybe making their lives better.
Bread, a little harder. I love bread. I eat too much
bread.
But it's harder to eat. So I'm just wondering, is it one direction or the other?
Ida Hameete: There must be an opening somewhere in the minds to actually do culture. I mean, you can always [00:20:00] think, I want to buy my next Ferrari, and that's the only reason why I do this business, and so I just want to earn money, and I don't care about customers, about whatever.
I guess the most companies are definitely not like that. Right. When you start a company, there is a spirit, there is an idea, there is something you want to change in the world, I guess, mostly. And, um, sometimes there can be like in, in, in Europe, we got this NIST 2. And so at least in critical infrastructure, and I mainly work in critical infrastructure, there are a lot of extra things they have to do.
And there's also, uh, at least at the moment in the papers in the German papers, there is a mandatory, uh, lesson about cyber security or security for sea level people. So there is this. moment. There's this perhaps this opening where even though the people were not so much interested in security yet, perhaps, and this is also why we [00:21:00] want to do this teachings, this this sessions with them, um, to to explain them these things, explain them the possibilities, not only the fears and the theories, but the possibilities too.
And then I hope when they when they get this idea and they understand that they need a good security culture and security culture works best when it's clear With your company culture and your company purpose. I hope there will be companies which come to us and ask, let's do a purpose session. Yeah. So understanding how much purpose can change for them.
And I know there are so many people who, who tell that about company culture and how much it matters, but perhaps, yeah, perhaps when they have to do, have to do security and they think in their head, okay, I want to do it smart because I don't want to spend all that money. And. in this black hole of security.
And okay, there is this girl telling me when I do security culture, that will go more easy. And okay, so I want to do security culture because then it [00:22:00] becomes easier what I have to do anyway. And yes, perhaps then I can help them with their purpose too. I would love that.
Sean Martin: Yeah, I love it too. I love it too.
Well, Ida, Amita, it's been a pleasure chatting with you.
Ida Hameete: Thank you.
Sean Martin: And, uh, your session, Winning Buy In, uh, Mastering the Art of Communicating Security to Management here at OWASP AppSec Lisbon, uh, is on, what day is it on? It's on, uh, tomorrow. Yes. It's on Friday, yes. So, hopefully I'll get this episode out and people can join you, uh, at your session tomorrow, but I'm pretty sure it'll be online as well.
Ida Hameete: Okay, great. I hate to
Sean Martin: record these, so. Thank you so much. Any final words for the audience?
Ida Hameete: Um, find your purpose.
Sean Martin: Find your purpose. I love it. I love it. Thank you so much. And thanks everybody. too. Thanks everybody for listening and stay tuned for more coming to you from OWASP, APSEC, Lisbon. Thanks all.