CyberWyoming note: In collaboration with the Identity Defined Security Alliance, CyberWyoming is releasing a four-part series of blogs on Identity Management for Identity Management Day on April 11, 2023.
Day 1 – What Is Identity Management and Are Your Employees Taking It Seriously? https://cyberwyoming.org/day-1-what-is-identity-management-and-are-your-employees-taking-it-seriously/
Day 3 – How Small Companies in Wyoming Can Create a Culture of Security https://cyberwyoming.org/day-3-how-small-companies-in-wyoming-can-create-a-culture-of-security/
Day 4 – Don’t Wait for a Security Crisis to Start Building a Security Culture and Relationships in Tech! https://cyberwyoming.org/day-4-dont-wait-for-a-security-crisis-to-start-building-a-security-culture-and-relationships/
What is a culture of security?
By Mary Keane, Marketing Contractor, Author, and retiree from Oracle
What if companies could develop a culture of security to include every employee in identity management? Here’s how it happened at Oracle where I worked for twenty-two years in engineering.
In late 2001, the CEO of Oracle Corporation, Larry Ellison, announced that the Oracle database was “unbreakable” at the COMDEX computer expo in Las Vegas.
It was the start of a huge marketing campaign for Oracle to promote the security of the world’s most used database. I had started working in Oracle’s application engineering division less than two years earlier. My team worked on a small application that did not use the Oracle database, so, other than tuning into Larry Ellison’s speech to see the latest Oracle announcements, we did not know that a sea-change (a substantial change in perspective) was about to hit the company that would affect every employee’s knowledge of and responsibility for security.
That announcement triggered a call-to-action deep in the hearts of hackers, would-be hackers, ethical hackers (yes, there is such a thing), and security experts, all feeling the need to prove the CEO wrong. David Litchfield, an ethical hacker, made it his mission for nine years to get Oracle to regret such a reckless statement.
With all this attention on the database, other hackers started looking at the other software products at Oracle, including their applications. Suddenly all engineering teams were extremely aware of the need to keep the hackers out of our customer’s data. And it didn’t stop there. A culture of security took hold at Oracle where we were not only responsible for keeping hackers out of our software, but we took our responsibility seriously for keeping our own data private.
One method that hackers were exploiting at the time was to hang out at restaurants and bars in the California Bay Area that were popular with software engineers. They would simply listen to conversations to see if they could pick up any bit of news that would allow them to exploit a vulnerability in the software. Think about how often you see groups of co-workers venting at a restaurant to realize how easy it would be to find a couple of people talking about a bug they just found and needed to fix.
The annual Oracle Openworld, which attracted tens of thousands of customers, media, and Oracle employees to San Francisco, was a great place to pick up engineering gossip during the event and the evening parties. Unfortunately, even engineers forget to watch their words when the alcohol is flowing, and the dance music is energizing the crowd. As a manager, I felt like I spent all my evenings during that week reminding engineers to watch what they were saying.
The good news is that the culture of security grew even stronger once many of the Oracle customers started using the Cloud for their database and applications software. Now it was even more imperative on Oracle employees to keep security in mind with every line of code written, quality assurance tests, and even how documentation was written. Sure, it would be cool to tell a customer in some documentation how they can write a script to get around a security feature that drives their employees crazy, but the customer isn’t the only one reading that public documentation.
We learned that everyone at Oracle had a part to play to keep our software secure and our customers’ data safe. From the people who cleaned the offices (shred every piece of paper, just in case) to sales (don’t tell anyone about the new security features until they are delivered) to documentation to quality assurance (find those bugs before the hackers do) to engineering (code review and secure coding practices).
By the time I left Oracle in 2022, each employee was required to take yearly security courses tailored for their division. Team “bug hunts” would be scheduled throughout the year to find any bugs or security issues before the software was released. We had QA teams, but they could only find so many issues, and never underestimate the creativity of a team of people who really want to find some bugs to win a $10 Starbucks gift card.
In Oracle’s case, the security culture happened rapidly because we had become a target for hackers. But any company, small or large, can create their own security culture.
Change Your Company’s Culture – Wyoming’s Cybersecurity Competition for Small Business
In its sixth year, Wyoming’s Cybersecurity Competition for Small Business is one-on-one, on-the-job, human focused security training that starts with the company’s mission statement and ends with security policy writing. Wyoming business leaders meet their security goals and have increased confidence with the subject, better relationships to support their security efforts, and improved products and services as a result of completing the program.
Registration continues through May 1. Winners receive cash prizes and a speaking engagement at the annual cybersecurity conference. https://cyberwyoming.org/competition to register.