Expect the Unexpected: 3 Lessons for Building a Culture of Security

In just the last few months of 2023, there were quite a few publicly disclosed security incidents, from organizations large and small. And it’s possible that I missed some because MongoDB dealt with an incident of our own. Managing that was an all-consuming, round-the-clock effort for teams across MongoDB.  

As unpleasant as it was, MongoDB’s incident reinforced lessons that any security leader should put into practice immediately. It also underscored the importance of building a culture of security.  

As the National Institute of Standards and Technology notes, having a strong culture of security means employees “view good cybersecurity practices as good business.” The more security is ingrained into an organization’s daily practices, and the more security is everyone’s responsibility, the more vigilant and responsive an organization will be. 

Here are some keys to building a culture of security: 

1. Prepare for the unexpected. 

Security incidents can happen at any time. My team understands that in today’s ultra-connected world, incidents are a normal (if unpleasant) part of doing business, and it's our role to minimize the impact of any event. However, the things that surround incidents -- what led to their occurrence, and what happens while managing one -- that can be truly unexpected.  
 
For example, as we dealt with MongoDB’s security incident, my team also contended with power outages, a leader’s laptop crashing, and -- tragically -- the deaths of two family members. For all those things to happen in a week and in the midst of a crisis was crushing. 

Related:7 Top IT Challenges in 2024

2. Don’t be thin on the ground.  

According to Layoffs.fyi, during 2023 more than 250,000 people were laid off across tech, including thousands of security professionals. While cost-cutting isn’t new, “doing more with less” doesn’t work for security. Overly aggressive job cuts can lead to increased risks, by unintentionally creating insider threats, or by untrained or over-stretched employees taking on extra work and inadvertently creating vulnerabilities. 
 
Instead, security leaders should adopt a “defense in depth” strategy to prevent incidents and to avoid an overreliance on individuals when incidents occur. Also, remember how stressful incident responses can be. So, giving your team downtime is important, as is recognizing the role their support systems play.  

But security leaders can’t ensure the right level of investment without opportunities to engage with leadership. Unfortunately, at many organizations CISOs aren’t members of the C-suite, and board engagement isn't assured. Having the ear of an organization’s leadership is critical for security leaders to secure resources.  

Related:Zero-Trust Architecture: What You Need to Know

Finally, every CISO should have a deputy whom they trust implicitly, and whose skills complement theirs. A house is only as strong as its foundation. 

3. Communicate with one voice and one message.  

While I tend not to speak in maxims, I do have one mantra that I like to repeat: “One voice, one message.” There’s no place for ambiguity in business, especially during a security incident. My team must know who is doing what, when and why. 

When incidents occur, timely, clear communication is as important to an organization’s response as containing the incident itself. Indeed, public perception of an incident response can be more harmful than incidents themselves if an organization is seen as being secretive or deceitful.  
At MongoDB, we believe it’s important to be transparent and timely with our communications, and a lesson we learned from our incident is to ensure that the right folks are involved from the start. For example, account executives field many customer inquiries, so sharing facts and clear information is vital so they can tell everyone the same story, every time.  

Related:Why Cultural Institutions Are Rich Targets for Cyberattackers

And, getting buy-in from leadership at the start of any crisis will ensure streamlined communications throughout.  

MongoDB Today 

Fortunately, MongoDB had already applied some of these lessons when our incident took place. Though there are things I might have done differently, because we had a strong team and set of processes in place when MongoDB’s incident occurred, we were able to react quickly to the unexpected.  

Since then, MongoDB has taken steps to harden our security posture and to prepare for the future. For example, teams across MongoDB will be doing more comprehensive tabletop exercises, and we’re thinking about how to incorporate less tangible things, like increased stress, into our planning. 

The company also added its first Head of Trust, George Gerchow. Reporting to the CISO, MongoDB’s Head of Trust will forge relationships to advance our security strategy and solutions. In addition to collaborating with MongoDB customers to improve their security posture, George will be an internal security evangelist, and he brings a passion for security-first culture to MongoDB.  

As Deloitte CEO Punit Renjen has said, “Trust is not just an outcome of success. It is essential to success.” 

I’ve worked in security for decades, and while I’ve been talking about the relationship between culture and security for years, I feel more strongly than ever that the two are intertwined. Given the rising number of threats from technology like generative AI, strong security cultures are more important than ever. To use another (overused) maxim, it takes a village to prevent and respond to security incidents.