Like it or loathe it, YOU are a software company. Whether you are developing Microsoft Office, producing shoes, consulting or a charity trying to make the world a better place, YOU are a software company. Even if your only use of computer is to send emails or produce flyers, YOU are a software company. Accept it, and (paraphrasing original Spidey 🕷️) accept your great power and the responsibilities that come along with it.\n\nBeing a software company means that you are also a software security company, and thus one of your many goals should be to keep your company safe and secure from emergent threats in an ever-changing security landscape. The sooner you accept these teachings from Uncle Ben (or Si on this particular case), the sooner you can "take the privacy and security of data very seriously" and "treat it with paramount importance".\n\nSoftware Use\n\nWe are all software companies because, whilst the act of installing and using software can provide us with numerous benefits (e.g. more efficient working, communicating globally with ease, sending and receiving cat videos etc.), it can also present us with varying degrees of risk, whether we are developing it ourselves or using a program developed by someone else. If you get a dog 🐕, you could have the best experience EVER, however you still need to accept that you could come home one day and find all your furniture chewed to pieces and that it has defecated all over your floors! Like with pets, software shouldn't be treated as something that you get but never think about again.\n\nHusky Dog\n\nSo what is the software equivalent to destroyed furniture and a smelly home? Great question, and the quick answer is one/more vulnerabilities getting exploited by malicious hackers, leading to unfavourable circumstances for you, those you care about and anyone else. When you install software, you are increasing the likelihood of this happening, irrespective of the problem that you are trying to solve. Hackers don't care about your intentions, they care only about what they can get away with, and they are very good at what they do. Vulnerabilities are found and fixed by vendors (especially popular ones) ALL THE TIME, which is why it is IMPERATIVE that you keep your software up to date. This is the equivalent of feeding your pooch and taking them out for long walks every day. If you don't want to do this, don't use software, period.\n\nYes Windows Update SUCKS and seemingly only pesters you at the most annoying times (I think Microsoft have developed an algorithm for just this), but it is a necessary evil. Use it or whatever the equivalent for your operating system to keep your computer safe from harm. It is also advisable to make a list of all the software you use and subscribe to each vendor so that you are notified of any updates and disclosed vulnerabilities. If this seems like too much effort, many applications nowadays have auto-update features that can help you. Treat those alerts as if they are a diagnosis coming from your Doctor, i.e. ignore them at your peril.\n\nAll Hands on Deck\n\nAll software organisations (including ours) will benefit from wider education initiatives for all staff. These educate about the dangers that exist, such as Phishing, Malware, Password Practice etc. as well as provide regular exposure to the dangers so that people don't forget. I'd also recommend starting an internal group that regularly and openly discusses security, preferably in an informal way so that staff can consistently learn, discuss, ask questions and foster a dialogue. This enables you to build a security culture based on the thirst for knowledge, rather than fear of making mistakes, and also allows for wider staff to keep up to date with the latest security news and teachings. I have personally created and managed such groups, found them to be very successful and the feedback that I've received from questionnaires, emails, comments etc. showed that many others really appreciated the effort.\n\nIdeas and a lightbulb moment\n\nContinuous Improvement\n\nSo how can we get the most out of the security culture that we are fostering at our software company? With all that knowledge and understanding that we are cultivating, it is likely that an increasing amount of security issues will be spotted by more people from around our organisation who will be eager to let us know. The messaging is that our organisation is taking security seriously, thus those within may really want to help. It is PARAMOUNT that we handle this enthusiasm properly, as any wrong moves will quell this growing staff appetite and discourage them from coming forward with the information we need to keep ourselves safe and secure.\n\nIf you haven't done so already, you need to create a formal process for people from around the organisation to raise their concerns freely, WITHOUT retribution and actively ENCOURAGE them to participate. Many eyes on an topic line this could be much better for you than relying on a smaller dedicated team (defence in depth). Asking people to send a designated security professional an email which seemingly disappears into a black hole is NOT the robust process that we are looking for. Instead, our process should encompass the ability to EASILY raise issues found, provide REGULAR feedback to the informant so that they are kept aware of progress, actually FIXING the issue raised if deemed valid and DIRECTLY COMMUNICATING with the informant that the issue has been fixed. These elements will form only part of the overall process, but I cannot stress how important they are to keep staff engaged with your programme. If we don't fix issues, then people will (rightly) view our process as pointless. If we fail to communicate effectively, then informants will (maybe unfairly) view our process as pointless. If people view our process as pointless, they won't waste their time coming to us with their concerns.\n\nComing together and talking\n\nAlso, avoiding retribution is KEY to getting people to come forward with security concerns. Just because someone has spotted a vulnerability doesn't mean that they have exploited it, so criminalising informants will only discourage them from coming forward, leaving us with many holes in our infrastructure for other, less-concerned parties to utilise for their own gain (and to our detriment). There is no need for contacting managers, using informal routes and sending strongly worded emails/letters, these people only want to help. If they wanted to cause damage, they would just exploit the vulnerabilities and not tell you, so why shoot the messenger?\n\nFinally, we need to FIX THE ISSUE and be open with the informant. Don't ignore the message and issue a fix stealthily, or even just ignore the message and do absolutely nothing. Sweeping known issues under the rug will just lead to more pain and suffering further on down the line. Don't have the budget? Make a case. Making a case failed? Escalate. Escalation failsed? Formally state "risk-accepted: no-fix', tell the informant and just pray that it isn't found for as long as possible, or at least until you move organisation. Rest assured that eventually the issue will be found by someone who doesn't have your best interests at heart.\n\nAccepting Our Responsibilities\n\nWhether you develop software, use it regularly or even sparingly, YOU are a software company and by proxy a software security company. With this vast power brings many responsibilities, and we must all take these seriously to avoid becoming the next casualty of hacking widely reported in the news. By educating and engaging our staff and giving them the ability to contribute and heighten our security cultures, we create a powerful ally in the fight against cybercrime. To ally is to respect and trust, and we need to ensure that staff can see the benefits of coming forward without unnecessary drawbacks. If we get this right, then maybe we can actually say that we "take privacy and security seriously" without it ringing as a hollow corporate platitude, only trotted out in the aftermath of a hack where the attacker exploited a vulnerability that should have been reported and dealt with.\n\nTake care and all the best, Si.