Building a Cybersecurity Work Culture

Building a cybersecurity work culture in the age of distributed workplaces is imperative. It can also be challenging, especially when factoring in resource constraints. Fortunately, three experts were on hand to address this topic through a Q&A during the 2023 Open Source Security Summit. 

Moderating the Q&A was Leigh Honeywell, Co-Founder and CEO of Tall Poppy, a company specializing in personal and executive cybersecurity for banks, movie studios and organizations who have to deal with internet harassment. 

Honeywell was joined by Henry Fisher, digital rights activist and founder of Techlore. Fisher is also a runner, artist, musician, book nerd, and privacy advocate. He also co-hosts the Surveillance Report weekly newscast. 

Rounding out the panel was Phillip Kampmann, Software Engineer III at AccuRanker. Phillip is the lead developer behind AccuRanker’s Secret Service, which handles secrets through the Bitwarden Secrets Manager.

Watch the full session recording or read the full Q&A below

Leigh Honeywell: When I was at Slack, our new hire security training was the second training that every new employee attended. Basically, you got your laptop, you received an onboarding welcome from one of the executives, and then you went straight into security training. I really appreciated receiving this right away because it made it clear this was an existential priority for the organization. I'm curious what strategies you have both found to be effective in terms of encouraging employee engagement around cybersecurity. 

Henry Fisher: My main role has been focused on end users rather than the corporate environment, but I’ve found that personalization and helping people genuinely care and understand how security protects their data is really important. This is a good starting place, because people struggle to conceptualize why it matters. They need to understand how security impacts, not just the company, but themselves. A lot of data breaches actually target employee data, not just customer data and other company secrets. Data breaches can impact companies, customers, or even society, depending on how important services are to a community.

Leigh Honeywell: That’s a really interesting perspective. There are no magic bullets. That's one of the hard things about this work. I primarily work with people in their personal capacities as well, because we're focused on online harassment and personal cybersecurity threats. Encouraging people to lean into personal cybersecurity practices has a great effect on the enterprise security posture. 

Phillip Kampmann: Agreed, tailoring training programs to address security when onboarding new employees is very important. It’s also important to offer them real-life examples of how to actually utilize security tools as well as share tips on how to avoid some of the pitfalls that are out there in regards to phishing emails and other threats.

Leigh Honeywell: What are the pitfalls you’ve seen, especially around security culture?

Phillip Kampmann: The main pitfall we see is people's ability to choose a good password. That's where we often see people failing. That’s also why we focus on engaging with people about how they should use their security tools, such as setting up rules for how to ensure password length and complexity. 

We want to create a culture that encourages employees to notify us when something goes awry and prioritize real-life, ongoing training exercises throughout an employee’s tenure to ensure continuous improvements and security.

Leigh Honeywell: Several of us work at smaller organizations and folks at this Open Source Security Summit range from small and medium businesses to enterprise. When you're working with SMBs, smaller organizations, newsrooms, nonprofits, you find that these entities are resource constrained. With that in mind, what do you think are the most important factors around building a cybersecurity culture? What are some challenges smaller companies face and how does it differ from enterprises? 

Phillip Kampmann: I think – especially for small and medium-sized businesses – it's important to focus on basic security measures. First off, we often aren't big enough to handle all security measures at once. Some might need to be outsourced or treated differently than you would at an enterprise level. It’s important to educate employees and ensure they’re aware of security. This holds true for small, medium, and larger enterprises.

Henry Fisher: I follow the attacks happening on the corporate end and most of them aren’t super-sophisticated attacks. They're just trying to find the low hanging fruit that is people making simple mistakes. Focusing on the essentials will prevent a lot of issues. But also, this is an open source conference. 

Open source solutions are a fantastic option for organizations that are resource-constrained because they're super accessible with a lot of documentation. They're designed for everybody and a lot of them are more cost-effective as well. On top of that, there are more likely to be ways to modify the solution to apply to your situation.

Leigh Honeywell: How do you see open source security tools fitting into organizational security, culture, and overall strategy, whether it's small businesses, individuals, personal security, or all the way up to the enterprise?

Henry Fisher: They are more accessible to end users and companies alike. 

There are so many benefits of open source, including transparency and customization.

And while proprietary solutions are sometimes the answer, I think open source solutions generally have a bigger community backing, which cumulatively provides a lot of value at a very low friction point.

This might sound silly, but open source documentation is beautiful to me because many open source projects try to make human documentation that anyone can understand regardless of background. Everything's translated and you rarely need support because it's so well done. And I think that's kind of rare nowadays. 

I see open source security tools fitting into many parts of a company's culture and strategy. Open source has a lot to offer.

Phillip Kampmann: Another key benefit of open source is the timeliness of fixes. 

There's often a lot of people looking at open source projects; consequently we have the ability to fix small and big issues within due time. We can also make our own solutions flexible when it comes to using different kinds of open source systems.

Leigh Honeywell: We’re all big fans of open source at this summit. But to be a little self-critical and reflective, what are some of the challenges that you've seen with implementing open source security solutions, either at a cultural level or at a technical, practical level? 

Henry Fisher: One thing that personally concerns me, my company, and people I know, is that people need to believe they can get support directly from the software if something goes wrong. Sometimes open source can feel like you took the training wheels off your bicycle and now you're on your own. A lot of organizations might be intimidated by that. But, that's not always the case. 

Many open source organizations do have support and offer specific programs for enterprise customers.

It does help fill the gap, although it might not be as readily available for smaller organizations or projects. 

Leigh Honeywell: I must focus on the flexibility of using open source, both as a pro and con. I think the pros are definitely there when it comes to customizing and personalizing. But some of the smaller projects might not have the resources to actually be there. They might not have the contributors to adjust to what’s happening in the market in time. If you identify a challenge there are opportunities to personally add, contribute, and fix stuff yourself.

Leigh Honeywell: What is one big security oversight that you see happening across organizations?

Phillip Kampmann: I might have said lack of security awareness a couple years ago, but that’s changing for the better, among both small and larger companies. We’re also seeing this improve as more security regulations are implemented around the globe. So I'm actually not sure what the biggest problem is at this point of time. I think in smaller companies, it might still be things like bringing your own devices that might contain different kinds of malware.

Henry Fisher: I think what can be the most devastating thing that companies don't think about is whether or not the third party tools they rely on are secure. This is actually a good selling point for open source, as well.

Specifically, I'm thinking about the GoAnywhere data breach, which is the most recent one. It’s now hitting hundreds of organizations and impacting millions of people just because one piece of software was insecure. Those can be really disastrous. It can take just one person screwing up to affect thousands of companies. Choosing great open source tools that are trusted and being securely updated is very important. 

Learn more about the annual Open Source Security Summit.

Ready to try out password sharing with Bitwarden? Quickly get started with a free Bitwarden account, or start a 7-day free trial of the business plans to keep your team safe online. 

Still have questions? Check out the live weekly demo to connect directly with the Bitwarden team.