There is a common phrase that is used that attempts to get “Everyone on Board”. It goes something like this: “Something” is Everyone’s Job. It might be safety, customer service, strategy, and more recently: Cybersecurity. Cybersecurity is NOT Everyone’s Job. Someone needs to own it.
I fully understand the intent of the “everyone’s job” statement. You want buy in from everyone, from the leadership on down. That is a mission that is worth pursuing. The issue is that if Cybersecurity is everyone’s job, then its importance is diluted, and ownership and accountability are taken from the person or department that is truly charged with it. Or worse, it becomes nobody’s job.
Think about it like this. If you were to go to the hospital for surgery and there was a big sign on the wall and it said “Surgery is Everyone’s Job”, you might think twice about staying. Surgery is probably best left to the professional that has been trained to do it. While Lisa in reception is smart and a capable person, she probably has her own role to fulfill.
The National Institute of Standards and Technology (NIST) recently published a guide called “Cybersecurity is Everyone’s Job”. We have a lot of respect for NIST and are faithful followers of their work. The guide goes on the explain that everyone in an organization has a role to play in ensuring that IT Security is upheld. IT Security needs to pervade the culture of the organization. These are concepts that we fully agree with. The security program needs buy in from everyone.
The organization needs to implement methods to reduce risk and enforce security controls. Leadership needs to support the IT Security practice and enable it to do its job. The organization needs to identify a person or a role whose job is to own the cybersecurity practice. That person, usually the Chief Information Security Officer (CISO) needs to be empowered to make decisions to improve security, educate the organization, build and lead a team, direct activities and budget, and ultimately OWN the security practice. No person is an island, and this role is no exception. Additionally, assigning responsibility and accountability to someone is not meant to be an attempt to direct liability at an individual. The organization is a team, and teams fail and succeed as a whole, but the leader needs to take the responsibility for it and make strides to improve.
The CISO role needs to be filled by a strong leader that is willing to communicate across the organization, empower their human resources, and be able to articulate the risks to the business in a concise and meaningful way. The business needs to support and empower the role. A great IT Security leader with no decision making power and little self-direction is set up to fail. Additionally, a Security team leader that is given the responsibility in addition to several other roles is a recipe for disaster.
I have spent time with many organizations that have employees that “wear multiple hats” and while it seems to meet the budgetary concerns, it tends to be short sighted and more expensive in the long run. You can get away with leaving risks unknown and unaddressed for a while, but it commonly comes back to bite you. Having multiple hats opens you up to this additional risk.
Your organization should identify a person that has the ability to own the responsibility of IT Security. That person needs to be accountable to the business, understand the security risks associated with it, and be able to lead and manage people, process, and technology to reduce risks to an acceptable level. In addition, the role needs to be self-directed to allow for the leader to execute on the identified vision.