by Gerald Boyne, Head of Security Assurance, AWS DACH region (Germany, Austria, and Switzerland)
Security is at the top of nearly every German organization's agenda. Gerald Boyne, Head of Security Assurance, explores how embedding security practices into the culture of your organization can help avoid the financial or operational drain - and turn it into an organizational enabler instead.
Cybercrime is the “black swan” of Germany’s digital environment; it’s unpredictable and often misjudged. That’s why, when it comes to risk management, it’s no longer a case of pattern matching. Instead, it’s about expecting the unexpected, even if that means looking for the unknown.
To do this, German enterprises need powerful intelligence to detect and predict security anomalies. However, this relies on the entire organization treating security as more than just an IT function, but as a matter of culture that affects everyone.
This culture of security encourages people to come together and widen their thinking around security habits. That way, they’re more likely to champion a sense of organizational unity and become sensors of the abnormal—in turn, protecting each other and their business.
In Germany, security has often been seen as “the bad guy” or as financially and operationally draining. Now, more and more enterprises are embracing the true value of it and encouraging everyone in—and beyond—IT to celebrate its value. After all, security can be the difference between a business capable of surviving a cyberattack and one that doesn’t.
Two colleagues from Deutsche Telekom IT: Andreas Terwellen, VP Security, and Jeremias Reith, Product Manager Cloud Center of Excellence, spoke about this idea at the Munich Transformation day in early 2019. They use a DevSecOps model and speak about “leaning in” to the business need rather than always saying “no” outright. Fundamentally shifting from operating from a place of fear to being led by data and security science, and business driven security scores, is also key to their way of working.
Rather than “clipboards and checklist” they now use “compliance operations,” and instead of keeping all the intelligence within the security team, they share threat intelligence with their partner teams in engineering and operations. They prioritize open contributions and collaboration over security-only requirements, and have set up 24x7 proactive security monitoring. They invite security experts to let engineers know immediately when something has gone wrong, and even offer to help teach security and operations team members how to code so they better understand how software operates.
With this new-found appreciation, security at Deutsche Telekom is built into everyone’s day-to-day routine and becomes as natural as filtering through emails or scheduling a meeting. Proactive vs. reactive security monitoring happens. When done right, this new way of operating is key to gaining organization-wide acceptance and transforming security from an inconvenience to a positive experience.
However, making security an enterprise norm isn’t just about people and technology working in parallel; it’s about working together to create a dynamic circle of operational excellence. In my experience as DACH Head of Security Assurance at AWS, I have learnt that one of the most effective ways to achieve this is by partnering with a trusted cloud service provider to build an environment based on automation, standardization and scalability.
In his ebook “Creating a Culture of Security,” my colleague, Mark Schwartz, shares his experience with this subject, and what it means to have a culture of security. Now more than ever, German enterprises can see security as an enabler to their organization, by integrating this thinking into their ways of working.