How Okta fosters a security culture
Jen Waugh joined Okta in May 2024 as Senior Director, Security Culture. One of Jen’s primary responsibilities is to apply her wealth of experience — spanning cybersecurity, governance, compliance, and leadership — to create and foster a security culture as a driving force behind Okta’s continued maturation as a security company. Recognizing that other organizations are aspiring to take similar steps and that their leaders could benefit from Jen’s insights, we asked her to share some thoughts about what it takes to evolve a company’s culture while staying true to its identity. |
Although security was always part of Okta’s identity, the evolution of cyber threats — both against companies like us and against our customers — has caused us to look at ourselves through a slightly different lens. With Identity and security connected like two sides of the same coin, we’ve come to see ourselves the same way others see us: as a leading global security company. In fact, security is one of our corporate values, and every employee is responsible for helping to keep Okta and our customers secure.
We take our responsibilities seriously, and in February 2024 we announced the Okta Secure Identity Commitment, our long-term plan to lead the industry in the fight against Identity attacks.
Ultimately, our success in delivering this plan and other key security initiatives will be strongly influenced by our progress in a related area: building a culture of security within Okta itself.
Changing our DNA
A strong security culture is fundamental to ensuring that both Okta’s sensitive data and the data others entrust to Okta are kept safe.
But creating a culture of security — such that security becomes implicit within an organization’s DNA and second-nature to its team — isn’t a small or easy feat, and it doesn’t just happen. Change is required, and often that change brings an element of organized disruption.
From my past experience and conversations with security leaders throughout the industry, I kept a number of things in mind as I embarked on leading this initiative:
- A strong security culture is related to, but distinct from, the tools and technologies we employ. We have a world-class technology team and robust cyber operations, but culture is about beliefs and behaviors.
- Security should be woven into your corporate values. We refreshed our values earlier this year and introduced a new value (Always secure. Always on.) to reflect our ongoing commitment to making every employee an owner of security.
- A strong security culture must be more than just defined policies and procedures. It requires every employee at Okta to take an active role in accepting, practicing, and promoting effective security, contributing to a collective human line of defense beyond any documented policy or standard.
- There is no silver bullet, and tactical solutioning is not sustainable. Leveraging a two-speed approach is beneficial, but be careful not to get caught in a tactical cycle — and be sure to design agility around the approach, factoring in the interplays between essential elements of your business.
- The necessity of progress must be balanced by patience. The job is never done, it is a constant evolution shaped by selection pressures of business strategy, priority, and the threat landscape. Keep a pulse on these things and continuously adapt your approach.
With those ideas shaping my thinking, I worked with other Okta leaders to develop, refine, and champion the three Security Culture Pillars upon which our security culture is built.
Pillar 1: Security Why
There’s a fairly famous quote from Friedrich Nietzsche: “He who has a why to live for can bear almost any how.”
Rephrased, the idea is that when people understand the reason for something, they’ll be willing to tolerate — or, ideally, to enthusiastically support — whatever’s needed to get it done.
For us, the Security Why goes deeper than simply explaining why security is important, and focuses on contextualizing security to each and every team member’s individual role and responsibilities.
We begin by understanding the external threats in a clear and data-driven way. This means avoiding broad statements, and instead taking stock of the threat landscape. What attacks does Okta face? What attacks are others in our industry facing? What are the larger trends that are shaping future attacks?
But Marketing 101 teaches us the importance of knowing our audience in order to achieve effective communication. To that end, I’ve personally interviewed more than 70 people from across the Okta organization, with each and every interview providing distinct perspectives that have formed our approach to security culture.
Working with different functional teams, we can leverage this “market intelligence” to tailor our messages throughout the organization. So while the broad goals of our security initiatives are clear and consistent, different teams can understand — in their own language — what’s required of them on a day-to-day basis and, just as importantly, why.
Leadership and communication
Looking at the wider business world, a lot of large-scale initiatives often fail because those behind them think that top-down leadership is all that it takes to change things.
And make no mistake, strong leadership (especially leadership by example) is necessary — and we’re fortunate that our CEO is championing this message. But top-down leadership by itself is insufficient, and an initiative is much more likely to succeed when there are champions throughout the organization and when communication flows in every direction.
What we are aspiring to do is draw clear linkages between security initiatives and the goals and objectives of our business. For those familiar with SABSA, we are syncing with the Business Security Architecture component of the framework, with our critical business driver being security.
I’ll give an example: Okta has multiple communication channels in place to enable active feedback and support. Our teams have options that are designed to their way of working and we are continuing to tune our approach. From day one, it was very evident that our approach must be multi-faceted, and must not make or rely on assumptions. Luckily, Okta is an organization focused on fearless and constructive feedback.
When people feel involved, when they feel that the organization is listening, when they see adjustments made because of their feedback, and when they see leaders embodying the messages they’re communicating — you’ve got the makings of a real cultural shift.
Pillar 2: Security People
Security People is about (you guessed it!), the people at Okta.
Our Security People pillar has been designed to be measurable and, in my personal view, it is — and will continue to be — central to our success.
Employee lifecycle
From a security perspective, the employee lifecycle starts the moment a role is available. Fortunately, we start from a solid baseline when we look at the employee lifecycle at Okta.
Our approach is two-fold:
- First, we look through the lens of enhancing security responsibility and accountability in every single person working at Okta
- Second, we look through the lens of associated threats
Those threats are faced by our industry every day, and complacency can lead to exposure.
We have taken a threat-based approach, and although these processes are pretty simple conceptually, in an organization as large as Okta, getting the details right is easier said than done — which makes me grateful for the partnership my team has with our People and Places group. This partnership allows us to prioritize and solve the challenges that stem from having a large and global workforce.
Global People Network
I mentioned earlier the need for multi-directional communication, and another way we contribute to that is through what we call our Global People Network.
Essentially, these are groups with cross-sectional representation from many functions within Okta. We speak with the groups, learn from them, and get their input on different things we’re trying or thinking of trying. These conversations help us to recognize issues — whether systemic or more localized — and to prioritize our efforts.
We are now establishing regional groups around the globe after a successful pilot. The pilot group showcased employees’ desire to participate and engage with our security culture. I saw firsthand the passion behind our Build It, Own It value.
Members of the forums understand and, I think, appreciate that they’re a big part of the solution — of defining and contributing to the security culture — and that their insights are shaping what we’re doing across the company.
At Okta, we also have a well-established Security Champion Network led by our Security Education team. While the Global People Network is designed to include everyone at Okta, the Security Champion Network focuses on technology and product security.
Embedded security teams
Under my colleague Charlotte Wylie (SVP Deputy CSO, Okta), we have a Security Education team. They’re predominantly focused on the continued education of our developer and engineering workforce on things like secure coding and development practices as part of a secure software development lifecycle.
Members of the Security Education team are embedded throughout the engineering organization so they work alongside our developers and coders on a day-to-day basis.
This is important for a few reasons.
First, it promotes the expected norms around secure best practices. From a cultural perspective, that's a big win.
Second, it keeps security top of mind, promoting not just current best practices, but the expected behaviors.
Third, security is a very detailed and almost always changing topic — so frankly, it’s unrealistic to expect that every developer or engineer can stay abreast of these changes. Having everyday access to a member of the Security Education team helps the whole developer workforce be more efficient while also gradually leveling up everyone’s knowledge.
Pillar 3: Security Pulse
Security Pulse is the data-driven way we’re going to achieve our security goals.
Numbers, percentages, trends — the cold, hard facts that help us measure progress, identify where we’re falling behind or doing well, and make things sustainable and repeatable.
Recall that I mentioned the need to balance progress with patience. Personally, patience is where I sometimes struggle — I’m looking at the goals, I’m keenly aware of areas that need more work, and I’m feeling like we can’t get there soon enough. We set a very high bar.
So as much as being able to measure progress is great for the organization, the metrics are constant reminders of what we’ve achieved and that we really are collectively moving forward.
NIST CSF 2.0
We invested time up front building out a simplified framework that maps to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 to better understand the current state of Okta's security posture and track progress. I’m personally a fan of the updated NIST framework, particularly the inclusion of a sixth pillar — Govern — within CSF 2.0. Leveraging this approach aligns our security culture with other Okta security initiatives, and the industry at large.
Parting words
Okta’s vision is to free everyone to safely use any technology.
As a company, we recognize that bringing that vision to life requires building secure products that bring simple and secure access to people and organizations everywhere.
We also recognize that the data we hold — both our own and that of our customers and partners — and the importance of our products makes us a target for cyberattackers.
Building a culture of security is a way to level-up our entire organization, the impacts of which will be far-reaching — from more-efficient development of more-secure code in more-secure products, to greater resilience to the attacks we face each and every day.
Moving forward, together
But building a culture of security isn’t an overnight project, and it’s not a set-it-and-forget-it task; rather, it’s a long-term, ongoing process that requires collective change and concerted effort.
By sharing Okta’s approach and our experiences as transparently as possible, I hope to help you to advance on your own security journey.
The risks facing today’s organizations are simply too great to be ignored and can’t be addressed by technology alone.
And I believe that by walking this road together — exchanging ideas and insights, successes and failures, challenges and solutions — we can make collective progress.
After all, when it comes to the fight against cybercrime, we’re all on the same side.
Learn more about how Okta is fighting against Identity-based attacks.