A thread on security culture anti-patterns that I've seen first-hand over the last 25 years that I've been in charge of security for one thing or another.

My thesis: the farther security decisions are made from functional and operational concerns, the worse all three become.

We'll start with my high school's Linux server that was used for our Adventures in Supercomputing program. I was doing independent study in that class, it got hacked, I could show the teacher how, so it became my job to run it. I was in charge of keeping it usable *and* secure.

I had to lock things down but I had to keep it usable for students to *telnet* in and develop their fortran projects. If it broke, it was my job to fix it. If it got broken into again, it was also my job to recover from it. I owned resilience: uptime, backups, and security.

Fast-forward 10 years, I'm in charge of security for a tech finance firm and we're figuring out division of responsibilities. Security mattered a lot to them, so I did all of it: Windows patches, Active Directory GPOs, host+network fw rules, Blackberry policies, web proxy, DLP.

I broke so many things and the systems team, who was accountable for uptime of all the things, was rightly nervous about everything that I was doing that they didn't understand, have awareness of, nor have visibility into b/c I just rolled up my sleeves and did it by myself.

I learned that doing it myself felt fast but was actually very slow because it produced subtle, fragile changes that only lasted until the next time something broke. Real progress came from teaching non-security staff about security so they took ownership of their part of it.

I think a lot of software engineers know that if only one person understands a piece of critical code, then it's dead on arrival. But even though I had been programming for a long time, I hadn't done enough sustainable programming in a team (aka engineering) to know this yet.

Fast-forward 5 years to when I started at Square working for @emerose and when the InfoSec team was <20 people. What jumped out at me was how much every team knew and cared about security. It was a shared responsibility across the entire company with InfoSec as the guides.

What I've come to believe is that true security resilience is measured by the extent that non-security folks know and care about security as it relates to their sphere. No one can be a real expert in all "security" b/c it is a facet of all technology now and is context-dependent.

Like all forms of leadership, good security leadership promotes a productive security culture around them in every direction: their leadership, peer teams, teams they lead, and any team or people they interact with. It helps everyone understand how and why vs. tells what to do.

A productive security culture is not an accountability chain driven by who fears the most things the most. Fear doesn't make good decisions nor create resilience.

A productive security culture is a mesh woven throughout the entire organization.