Working as a security leader at startups, I have found that security is often an afterthought. This mindset is pervasive in the startup community given security can be expensive. Every company has to balance the level of security they have with an understanding of their responsibilities to the data, the types of data they have, what level of data they have, etc. but, above all, they must ensure that the company is sustainable. In other words, you can’t spend more than you make.
It is important to understand what an organization’s risk appetite is and how much they are willing to spend on security. With startup security or any organization with a less mature security program, significant impact can be made by changing people’s mindset on security. For example, if your engineers think “we can push security to the end,” what they actually need is better education on how they can start bringing security in sooner so that in the end it does not become a huge overhaul, or worse, a massive breach.
So, how does one get started? There are two core tactics that will help foster a security culture: threat modeling and “pre-social engineering.” NetSPI Managing Director Nabil Hannan and host of the Agent of Influence podcast recently sat down with me to discuss this very topic. From the conversation, here are my recommendations on how to leverage threat modeling and pre-social engineering to effectively prioritize security in your organization and create a security culture.
Start with a two-pronged approach of threat modeling and frameworks
When building a security program, I generally like to work from the outside in terms of tooling and from the inside out in terms of people. To build trust with the people in your organization, an inside out mindset is critical. To achieve this, I suggest starting with threat modeling and frameworks.
Frameworks, or a system of standards, guidelines, and best practices to manage cybersecurity risk, are a great way to know what the bones of your skeleton (security program) look like so that you know where to add the muscles (controls, technology). In tandem with frameworks, threat modeling is a great starting point. It allows you to understand what data you have, where it is, how it can be attacked, where your vulnerabilities are, and much more. Threat modeling helps you figure out where to start based on what presents the most risk. At a bare minimum, it helps you define who you’re trying to protect against – and that information in invaluable.
Additionally, some companies don’t yet understand the data they should be worried about. Which data is valuable, and in what ways? Threat modeling helps identify how specific data can be used by threat actors and can help organizations distinguish the realistic, big picture ramifications if the data is compromised.
What is pre-social engineering?
The idea behind pre-social engineering is to work with the people in your organization to make sure they remain kind and helpful to customers but are very skeptical of people asking for assistance from outside, and even inside, the company.
A lot of organizations find value in phishing their employees. To a point, I agree with using phishing as a security awareness tactic, however, today’s phishing emails are so sophisticated and difficult to tell apart from real emails that security teams who are very skeptical fall for them. For a great example of how sophisticated social engineering has become, watch this live vishing attempt from DEF CON.
Over time, I believe it has become a demotivational way to earn trust. If an employee fails a social engineering engagement, they are disciplined by spending valuable time on retraining. Pre-social engineering is an effective way to establish trust between security and the rest of the organization.
Along with your annual or quarterly security training of course, send out digestible information related to the latest threats to encourage people to familiarize themselves with security. In my opinion, approachability is one of the most effective characteristics of a successful security leader. You don’t want your employees to be afraid to approach you with a security suspicion out of fear they will get in trouble. As a part of pre-social engineering, reward your employees when they communicate with the security team.
Social engineering has the highest likelihood for compromise within any organization because the attack takes advantage of empathy. It is essential to understand that no matter how good your security is, adversaries will always find a gap. If they can get the right person, at the right time, with the right story they’re going to get in.
In the security industry we often hear, “people are your weakest link.” On the contrary, I believe they’re your strongest line of defense. For more on how to leverage threat modeling and pre-social engineering to prioritize a security culture, listen to my full interview with Nabil. Or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.