Enterprise security can be messy: Building a Security-Aware Culture

2•rezliant•2mo ago

Your executive team gets it. They've approved the budget, they mention security in board meetings, they understand the stakes. You're not fighting for recognition at the top anymore.

But then you look at what's actually happening three levels down. The marketing team is sharing credentials to social media accounts. Sales is pushing back on MFA because it adds seconds to their login process. Developers are storing API keys in public repositories because it's faster than the approved method. Remote employees are working from unsecured networks and don't think twice about it.

The executive commitment is there. The company-wide behavior isn't. And that gap is where breaches happen.

This is the challenge that keeps security leaders up at night. You have the mandate from above, but translating that into thousands of daily decisions made by people who have completely different priorities is a different game entirely.

Comments

necovek•2mo ago

It happens because cybersecurity teams do not design for efficiency and believe that security trumps everything else. If they understood that security, just like anything else, is there to drive the business, they'd perhaps sit down with people doing the work. And then figure out how hard it is to share a simple file or a photo, take it to the print shop as one can't plug in their private USB stick, or how annoying it is to develop Linux IoT firmware on WSL, or how annoying it is to get logged out every 2h.

Because unless you do, people will adopt behaviour that makes them productive, and instead of increasing security, your policies will drive it down.

This is not a result of "bad employees": this is a result of bad security policies.

mrktf•2mo ago

Yes, i couldn't agree more with this. The problem these "bad employees" earns wage by getting results and not entering multiple times mfa codes during day or repeating same logins. And talking from experience: these secure practices starting to approach at least hour of productive time everyday, which is literally robbing time

bdangubic•2mo ago

No security works unless it is enforced and there are severe consequences

> Marketing team sharing credentials

Fireable offense, immediate firing first time this happens, won’t happen again after that, both of person who shared the credentials and person who used the shared credentials

> Sales MFA

Prevent login without it, let them bitch about it for a week

> API keys in repos

Fireable offense not just for commiter but entire team

daemonologist•2mo ago

If you made API keys in the repo a fireable offense for the whole team, people would stop using the repo. There's already a constant problem at my company with people not merging into main/master in order to avoid the overbearing automated security scanning.

bdangubic•2mo ago

with all due respect I am very happy I don’t work where you do or any place where merging to main is a “thing”

tacostakohashi•2mo ago

Well, that's because somewhere between the executive team, which "gets it", and "three levels down"... somewhere between 1 and 2 levels down, there is a team that translates "security" into some compulsory training, scanning internal software/apps/libraries/libraries using crappy automated vendorware, and counterproductive/arbitrary password requirements.

After that, "security" starts to mean "ticking all the boxes to keep the scan happy and stay off the report" (even if the scans are wrong, out of date, littered with false positives, and lacking the ability to find basic problems) and stops having anything to do with actually being secure.

RJ000•2mo ago

"..teams not design..efficiency.."

Enough truth in that.

Need hours back and forth w/the end user, moderately sophisticated UX designers (eg. empathy, anybody?) user education (not mandates) and training, an actually useful help desk, efficient equipment... And real time graduated enforcement that impacts all levels, not just the bottom level perp-scapegoat.

markus_zhang•2mo ago

Gotta meet with each of them and understand how to proceed without impacting efficiency. Security is the most annoying thing in the corporation world so it’s easy to get pushed back.

Compiling Prolog to Forth [pdf]

Show HN: Cymatica – an experimental, meditative audiovisual app

GitBlack: Tracing America's Foundation

Horizon-LM: A RAM-Centric Architecture for LLM Training

We just ordered shawarma and fries from Cursor [video]

Correctio

Trying to make an Automated Ecologist: A first pass through the Biotime dataset

Watch Ukraine's Minigun-Firing, Drone-Hunting Turboprop in Action

Free Trial: AI Interviewer

FDA Intends to Take Action Against Non-FDA-Approved GLP-1 Drugs

Supernote e-ink devices for writing like paper

We are QA Engineers now

Show HN: Measuring how AI agent teams improve issue resolution on SWE-Verified

Adversarial Reasoning: Multiagent World Models for Closing the Simulation Gap

Show HN: Poddley.com – Follow people, not podcasts

Layoffs Surge 118% in January – The Highest Since 2009

Papyrus 114: Homer's Iliad

DicePit – Real-time multiplayer Knucklebones in the browser

Turn-Based Structural Triggers: Prompt-Free Backdoors in Multi-Turn LLMs

Show HN: AI Agent Tool That Keeps You in the Loop

Why Every R Package Wrapping External Tools Needs a Sitrep() Function

Achieving Ultra-Fast AI Chat Widgets

Show HN: Runtime Fence – Kill switch for AI agents

Researchers surprised by the brain benefits of cannabis usage in adults over 40

Peter Thiel warns the Antichrist, apocalypse linked to the 'end of modernity'

USS Preble Used Helios Laser to Zap Four Drones in Expanding Testing

Show HN: Animated beach scene, made with CSS

An update on unredacting select Epstein files – DBC12.pdf liberated

Was going to share my work

Pitchfork: A devilishly good process manager for developers