Security isn’t AWS or your tech stack. That’s part of it, but it’s so much more that that: it’s your people.
It’s fundamental for startups, and businesses of any size, to take a people-focused approach to cybersecurity awareness and education.
By focusing on your team, you can equip them with everything they need to help defend your company. Because in reality, security isn’t a once-and-done activity—it’s 24/7, and only effective if everyone is on board.
Laura Bell from SafeStack shares more insight on why this is important, how to think about it overall, and why it’s never too early to start. To access the replay of the livestream event, click here or watch below.
What is people-centric security?
Security exists because of people, so it makes sense to solve security challenges with people at the centre.
Laura explains that it’s part of our survival instinct to want an item that we don’t have, or is fundamental to life, or holds some value.
“As human beings, for as long as we have been human beings, we have applied the technology of the day to help us to get that item, to disrupt that item, to disrupt the world around us.”
And although we have evolved from technology of the caveman days, humans still have that instinct to want to gain access, to expose vulnerabilities in people and in systems.
It’s not (only) a tech problem. Security is also primarily a people problem.
With that in mind, many startups still lose focus and momentum when security training is entirely based on understanding the laws, regulations and compliance.
“Most of us who get security awareness training, and we're not criminals, we're not bad people. In fact, we've done our entire lives, following the rules, following the law, and we've thrived because of it.
“But because of that tendency to follow the law, we've forgotten how vulnerable we can be and how things can be used in ways we hadn't expected,” said Laura.
A human approach is needed. SafeStack is a community-centric online learning platform that enables people to safely explore security.
4 practical steps to a people-centric cybersecurity strategy
Collaboration is key
For a long time security wasn’t part of the software building process. Now, every person involved—developers, testers, analysts, architects—can find ways to approach their role in software development with security work within it.
“It's all about making sure that we are taking a collaborative approach to securing the things that matter. Historically, we've loved to believe that, you know, this one person in security is going to save us all.
“They're gonna be like Batman and swoop in and, you know, stop all the bad things from happening and we can all feel safe. But in reality, that doesn't scale. It doesn't work at all. The most successful groups and organisations when it comes to security are those who share the responsibility across all people.”
Laura compares this collaborative approach to meerkats, who from an early age are taught how to monitor for threats. Not just one meerkat, but every single meerkat is given the tools to respond to an emergency—which they then practice frequently. Nature shows us the power of working together collaboratively.
Data is everywhere. A people-centric approach means understanding who, where and what in terms of data access. “Almost having an amnesty across your team and saying, ‘where is it?’ or ‘what are you using?’”
Laura reminds tech leaders that it’s about a blameless approach to security, so that your team realises they won’t be fired or penalised if anything goes wrong. “It’s about saying, ‘hey, what’s the minimum security we each need to do to stay safe?’” Again, it’s collaborative.
Within this, security is less about compliance and regulation, and more about the quality. “Treat security as part of quality,” said Laura.
Security is ongoing. It’s not about “spending a million dollars on three tools,” instead it’s “about acknowledging it needs to happen all the time.”
Laura shares a powerful exercise for teams to change their security mindset. Essentially, draw an architecture diagram on a big piece of paper and start to think differently.
Ask: “If I was gonna go evil, what would I do to this?”
From here, with every new technology or team member you bring in, there’s changes to be made to this answer. It’s about seeing opportunity, rather than negativity.
“Be lazy as a security person,” said Laura, followed up quickly with: “Let me explain.”
“Automation has to be your friend.”
It’s important for tech leaders to embrace automation as it helps you do things more consistently and to not lose track of things. Also, you can do more than one person’s work when you don’t have enough resourcing to get a job done.
With automation, your role can shift from being just about audit to being a collaborative role that continually improves the security stance of your business.
Security is broader than laws and compliance.
“Compliance is your license to operate.” It means you meet a regulation or a requirement. Whereas security is understanding risk, and working as a team to take the steps to prevent, detect and respond to that risk.
So whether you’re a meerkat or a human, it’s important to take a collaborative approach to your security work—one that is accessible to all.
To watch the full livestream with Laura and Phil, visit our YouTube channel here.
"We wanted a solution that was fit for purpose, reflecting our age and stage, while delivering the outcomes we wanted for our customers and people. After looking at what was available, Onwardly stood out as serving this purpose perfectly."