search menu icon-carat-right cmu-wordmark

Smelling Out a Bad Security Culture

May 2017 Presentation
Harald Wesenberg (Statoil ASA)

In this talk, I share experiences from years of security observations that help identify weak signals of a faulty security culture in a large organization.


Software Engineering Institute



Some call it the fourth industrial revolution. Some call it the age of digitalization. No matter what you call it, we are harvesting more and more data about people and businesses. This data is then connected to other data and exposed as services, which need to be protected properly. As software architects, our primary security goal is to write secure software. Secure software has a technical aspect that is well covered (if not understood) in developer literature, but there are also human and organizational aspects of security that software architects must manage. These aspects often go beyond the boundaries of the software development organization and are influenced by forces well beyond the company walls. On the path to security, many tradeoffs will be made, and some of them are made outside the IT organization. After working for more than 20 years in large organizations, I have found certain signals that can be used to identify whether you have a weak security culture. In this talk, I will cover topics such as balancing prevention, detection, and response; balancing short-term gains with long time security impact; handling security incidents; and communicating security concerns beyond the IT organization.