Skip to Content
Personal Insights
Author's profile photo Elton MATHIAS

Nothing automates security faster than security culture


Major data leaks are on the rise and, as of Q1 of 2020, according to a recent report, there was a 273% increase in records exposed as compared to Q1 of 2019. How is that possible? Are attackers getting smart enough that they can circumvent even the most sophisticated security controls and countermeasures?

Such an increase in data leaks can only be explained by the fact that never in history have we had such high speed technologies and short release cycles in development. The amount of software that businesses of all sizes release to the market is astounding. It’s like counting absolute fatalities due to transport safety issues without placing that in the context of passenger miles travelled.

Enhanced Tooling
Enhanced tooling and automation play a central role in any security strategy. Whether you are an information security professional (or not), the last few years you might have heard the terms “shift-left”, “automation” and “security guardrails”. From a security strategy perspective, the increased attention and investment into automating the toolchain for developers is bringing more innovative solutions. The side benefit is a way bigger portfolio of tools, handed over to developers on a continuing basis.

The Race to Stay Ahead
In face of this new information technology reality, most companies are in a rush to onboard security tools that automate some security gates and keep the DevOps workflow from slowing down. Meanwhile, development teams are under increased pressure to deliver software at a steady pace never seen before while integrating all these tools into the DevOps environment (in addition to handling the findings).

The Human Aspect to Cyber Security
What about the human aspect of cyber security? While automation is a key factor, it will not help if you don’t apply the proper rule sets for code scanning tools or choose to simply ignore the findings on the basis that you don’t fully understand the risks associated with that finding. Training employees in new technologies and tools is helpful, but it will not have the expected impact because new knowledge tends to fade away quickly if employees are not fully convinced about the importance of security and see security as yet another backlog item.

Establishing a Strong Security Culture
This is exactly where corporate security culture come into play. As management expert Peter Drucker famously stated, “culture eats strategy for breakfast“. Establishing a security culture is much more than enabling the workforce to apply security best practices, use the required tools or follow security processes. Establishing a security culture is about engaging people at all levels of the company to develop a security mindset, creating an environment which promotes sharing and caring as opposed to blaming and shaming. Ultimately, it’s about enabling employees to feel excited and proud of what they can accomplish.

Building a strong security culture is a long and complicated endeavour that many companies fail to do properly. At SAP the Security Enablement and Engagement team, part of SAP Global Security, has taken this challenge as its mission and we have been building a large security community at SAP and thereby developing a strong culture for many years. This effort encompasses company-wide communication channels, year-around security trainings and workshops and a number of events to attract and engage the workforce as the Security Escape Rooms and Capture the Flag events.

October is Cyber Security Month around the World
October is the month where security multipliers, developers and employees learn, teach and share cyber security knowledge at SAP. Don’t miss the opportunity to refresh your security awareness, improve your skills and spread the message to your fellow colleagues, because even if automation is crucial, security is all about you.









Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Kristin Kufeldt
      Kristin Kufeldt

      Nice post! For further amplification, would you consider adding the Secondary Tag for Cybersecurity, Governance, Risk, and Compliance to this blog?

      Author's profile photo Elton MATHIAS
      Elton MATHIAS
      Blog Post Author

      I added the Tag. Thanks Kristin for the suggestion.

      Author's profile photo Archana Karnik
      Archana Karnik

      Nice blog Elton. Humans are the weakest link in security. Strong security culture is essential to strengthen this link. You have laid out good approach towards establishing security culture.  I enjoyed reading this!!

      Author's profile photo Jay Thoden van Velzen
      Jay Thoden van Velzen

      Culture makes a massive difference. A big part of it is to be comfortable with having people constantly look over each other's work (whether in development teams, DevOps or Operations), not to find blame, but to correct and improve. Leaders and seniors need to set the example and standards, and make sure it is safe to "See Something, Say Something", so the underlying issue can be corrected.