Question: How do I make sure the saying “security is everyone’s responsibility” doesn’t lead to people feeling like security is nobody’s responsibility?
Lenny Zeltser, CISO at Axonius and Faculty Fellow at SANS Institute: Behind that pithy slogan is the idea that every person in the organization contributes to its security program. Even employees officially on the security team cannot safeguard information assets on their own. It’s people outside that team who deliver services, build products, and engage in various business activities that require making security-related decisions.
However, the diffusion of responsibility principle suggests that people feel less responsible when they are part of a group, possibly because they think someone else will take action. The key to combating this is to clarify expectations, hold people accountable, and establish a personal connection between the stakeholder and the affected items.
1. Clarify Expectations
We can use a responsibility matrix, such as RACI, to capture who across the entire organization should be responsible, accountable, consulted, and informed for specific security-related activities.
Cybersecurity leaders generally design and manage an organization’s security program, so they need to provide security guidance to other employees. Technical colleagues must incorporate security principles into projects, fix vulnerabilities, and deploy technology in secure ways. IT teams patch systems according to risk-based, agreed-on timelines.
Procurement or legal teams incorporate security reviews of vendors according to a defined process and include necessary security requirements in contracts. HR teams screen new hires according to specific background check requirements.
In addition to documenting expectations and speaking to other business units in their own language, the discussions that lead to creating a responsibility matrix can surface disagreements or coverage gaps, giving the organization the opportunity to address them.
Regardless of department, everyone at an organization is responsible for handling information properly, watching and reporting suspicious activities, and using established templates, libraries, and standards that incorporate company security guardrails.
2. Enforce Accountability
Even with the best intentions, those whose primary job isn’t cybersecurity will sometimes forget or not follow through on their security-related responsibilities. To increase the chances that they will remember, we can use a combination of three approaches:
Of the many security controls, ensuring accountability for patch management is particularly challenging because this practice often distributes responsibilities across multiple teams. Software might be patched by DevOps, IT, developers, external vendors — and even end users. To maintain accountability, for example, the IT team might allow workers to install approved applications that are not centrally managed but track when apps are outdated and remind end users to take action.
3. Make It Personal
Besides communicating expectations and enforcing accountability, another way to fight the diffusion of responsibility is to establish a personal connection between the person and the task at hand.
People get accustomed to the systems they use at work. Many start to think of the company-supplied laptop as “their” laptop. They consider the folders where they keep work documents as “their” folders and the applications they’ve customized as “their” apps. The security team can use this attachment to highlight the person’s connection to such assets, so they’re more likely to remember their related security responsibilities. For example:
When sharing security responsibilities across stakeholders, also point to the shared business objectives that the organization’s personnel are looking to achieve. To be successful, employees should understand the organization’s business goals and how their security responsibilities can help or hinder the company in reaching them. By framing security tasks in that context, you’re more likely to establish a security program that does actually make security everyone’s responsibility.