Many companies hold IT solely responsible for online information privacy and security, but experts agree that this is not a sustainable security business model.
In an interview with the Wall Street Journal, Former CIA and NSA Director, Gen. Michael Hayden, calls cyber space “… the largest ungoverned space in recorded human history,” adding “there is no rule-of-law [online]”. With that in mind, Hayden suggests that if the government is unable to protect their own information, businesses can’t wait for the government to protect theirs– companies need to do it themselves. However, it seems that for many businesses, security is still an afterthought.
Leave it to IT
Many companies rely solely on their IT team to champion cyber security and information privacy efforts. This poses a conflict of interest, leaving cyber security as a second-string priority. John Lyons, chief executive of the International Cyber Security Protection Alliance of Britain sums it up well: “If you have a CISO reporting through a CIO or if you put the cybersecurity budget in the technology budget, then the security spend gets lost among other priorities”. “It’s right to segregate out the expenditure on security as a discrete part of the overall spend in the company.”
Here’s where the problem currently lies for many businesses:
If the whole cyber security budget lies in the hands of IT, it’s likely that they will fully invest in tools, then solely rely on those tools for information security. This inclination comes strictly from their business objectives. It is IT’s job to innovate, maintain user-friendly interfaces, and ensure employees have the necessary access to important files and apps, enhancing productivity. They also need to foster collaboration and knowledge sharing. All these, and any company-specific business objectives make security quite low on IT’s list of priorities. With security low on the priority list, it’s clear that IT may not be the best department to hold ownership of such an imperative, stand-alone business objective. If this is the case, who should be responsible?
Responsibility vs. Accountability
Before diving into the blame game, it’s important that we make a distinction between responsibility and accountability. The most accurate, articulate description I have found is by Diffen.com, “The main difference between responsibility and accountability is that responsibility can be shared while accountability cannot.” With this understanding, it’s important that while IT is responsible for following cyber security policies and procedures set forth by the company, they cannot be held accountable for every breach or incident. So, who can?
Everyone is Responsible for Cyber Security
Keeping the difference between responsibility and accountability in mind, everyone in the company needs to be responsible for cyber security. As Rutrell Yasin writes in Dark Reading, “Sixty-six percent of the 601 data protection and privacy training professionals surveyed for the Managing Insider Risk through Training & Culture report say their employees are the weakest link in their efforts to create a strong security posture.” This may be in part because companies are relying so heavily on IT without giving personal responsibility to every employee, as well as equipping them with the knowlege and resources to take responsibility upon themselves.
Tools are important. Firewalls, antivirus software, and machine learning mechanisms will create effective protections for your network, but with 65% of threats coming from internally, these tools are just not enough. Everyone needs to take responsibility for their information security practices.
- HR should be responsible for awareness training and campaigns.
- Dev needs to develop new apps, technology, and products with security in mind.
- Chief Officers are the accountable ones and are responsible for ensuring appropriate policies, protocols and reporting practices are in place.
- HR or marketing should be responsible for making those policies and protocols widely known throughout the organization.
- Finally, the security team needs to develop policies and protocols in conjunction with the executive team, oversee access rights, perform regular penetration tests, and choose/create security tools, as well as create incident response plans, looping PR into that conversation.
Getting the Board on-board
Well, the cat is already out-of-the-bag on the Board holding accountability. This should be a no-brainer as a large security breach/incident doesn’t only affect finances and productivity, but can severely damage customers’ trust towards the brand. As we can see, this idea of shared responsibility relies on a company culture that values security. Company culture is always set from the top, which is why it’s important for the C-suite to be the biggest champions of security. CISOs and CIOs need to advocate for this culture to the C-suite, establish clear communication with executives around security issues and make businesses cases for the importance of security measures.
If executives are willing to hold accountability about security issues, everyone else in the company should hold responsibility for their individual and departmental security. For security experts looking to advance security interests, create more awareness and boost security as a mainstay of company culture; hopefully, you can use some points outlined in this post to help build the business case for approaching your executive team. Laws and regulations will likely never catch up to the fast-paced growth of technological advances, so it’s in our hands to ensure that security becomes top of mind for everyone in our companies. As our online lives become more comprehensive, they also become a greater risk to our personal safety and the safety of our employees.
In short: who’s responsible for cyber security? We all are.
Looking to expand your information security and privacy knowledge? Wanting to better understand how to defend yourself against malicious attacks? Considering starting a career in cyber security? Look no further! Start your education and training today!
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.