Create a Receptive and Adaptive Security Culture - AWS Security Incident Response Guide

Create a Receptive and Adaptive Security Culture

At AWS, we have learned that our customers' and our own internal teams are most successful when security teams are cooperative enablers for their business and its developers, who foster a culture that makes sure all stakeholders cooperate and escalate to maintain an agile, highly responsive security posture. Although improving your organization's security culture is not the subject of this paper, you can get relevant intelligence from your non-security staff if they see the security team is receptive. When your security team is open and accessible, with support from leadership, they are more likely to get additional, timely notifications, cooperation, and responses to security events.

In some organizations, staff may fear retribution if they report a security problem. Sometimes they simply don't know how to report an issue. In other cases, they may not want to waste time, or may be embarrassed to report something as a security incident that is later discovered to not be a problem. From the leadership team down, it is important to promote a culture of acceptance and to invite everyone to be a part of the organization's security. Provide a clear channel for anyone to open a high-severity ticket, whenever they believe there could be a potential risk or threat. Welcome these notifications with an eager and open mind, but more importantly, make it clear to non-security staff that you welcome these notifications. Emphasize that you would rather be over-notified of potential issues, than to receive no notifications at all. It is far better for a developer to call out his or her own mistake, then for a researcher to point out the issue in a public article.

These notifications offer valuable opportunities to practice responsive investigations under stress. They can serve as an important feedback loop while you develop your response procedures.