Expect the Unexpected: 3 Lessons for Building a Culture of Security
The more security is ingrained into an organization’s daily practices, and the more security is everyone’s responsibility, the more vigilant and responsive an organization will be. Here’s what we learned from our own recent incident.
In just the last few months of 2023, there were quite a few publicly disclosed security incidents, from organizations large and small. And it’s possible that I missed some because MongoDB dealt with an incident of our own. Managing that was an all-consuming, round-the-clock effort for teams across MongoDB.
As unpleasant as it was, MongoDB’s incident reinforced lessons that any security leader should put into practice immediately. It also underscored the importance of building a culture of security.
As the National Institute of Standards and Technology notes, having a strong culture of security means employees “view good cybersecurity practices as good business.” The more security is ingrained into an organization’s daily practices, and the more security is everyone’s responsibility, the more vigilant and responsive an organization will be.
Here are some keys to building a culture of security:
1. Prepare for the unexpected.
Security incidents can happen at any time. My team understands that in today’s ultra-connected world, incidents are a normal (if unpleasant) part of doing business, and it's our role to minimize the impact of any event. However, the things that surround incidents -- what led to their occurrence, and what happens while managing one -- that can be truly unexpected.
For example, as we dealt with MongoDB’s security incident, my team also contended with power outages, a leader’s laptop crashing, and -- tragically -- the deaths of two family members. For all those things to happen in a week and in the midst of a crisis was crushing.
2. Don’t be thin on the ground.
According to Layoffs.fyi, during 2023 more than 250,000 people were laid off across tech, including thousands of security professionals. While cost-cutting isn’t new, “doing more with less” doesn’t work for security. Overly aggressive job cuts can lead to increased risks, by unintentionally creating insider threats, or by untrained or over-stretched employees taking on extra work and inadvertently creating vulnerabilities.
Instead, security leaders should adopt a “defense in depth