The responsibility for cybersecurity is a heavy one. It has to be — a security breach can mean loss of valuable data, covert or overt control of a company’s system, serious financial loss, or even a temporary system shutdown. It makes sense, then, that the responsibility for cybersecurity falls on someone’s shoulders.
Back in Time
While cybersecurity has been an issue for some 40 years, up until fairly recently its responsibility didn’t fall to anyone in particular, which created real problems. For example, in 1999 the Melissa Virus spread rapidly around the country. In one company, many employees had already been verbally warned not to open attachments from unknown senders, but one young woman, who had not been so warned, went ahead and opened it. The company’s computer system was out of commission for the rest of the day. In that case, it was the CIO who was forced to deal with the issue, since she was responsible for the system. The employees however, lay heavy blame on the employee who had released the virus, cruelly referring to her as “Worm” (after the type of virus) for several weeks.
In many organizations, the CIO was, by default, responsible for security. But the CIO was also responsible for every other aspect of a data center, such as hardware maintenance, software versions and patches, the network, and many others. They ordinarily didn’t have the bandwidth to deal with every security issue, especially proactively, and hence they tended to fall between the cracks.
CISO
A decade or so ago, the role of Chief Information Security Officer (CISO) was invented, and companies were quick to put one in place. The CISO became responsible for emergency incident response, disaster recovery, access management, information regulatory compliance, risk analysis and management, and all other facets of cybersecurity. At that point, everyone in the company, from C-suite on down to building maintenance, now had someone to blame whenever there was a security issue.
However, the CISO didn’t have the power or authority to fully get the job done. The CISO was not a peer to senior executives and didn’t have a seat at their table. They weren’t part of strategic planning, as they should have been. The CISO was underfunded, understaffed, and didn’t really have the support of the organization.
The Real Responsibility
All that being said, it was the CISO who started the ball rolling for real cybersecurity within a company. They started pointing out that security was something that needed to be holistically treated throughout the entire organization.
An analogous area of the company is sales. Sales managers and sales VPs throughout the world all trumpet that “everybody is a salesperson.” In their own way, everyone in the company should be selling products and services. The same is true of cybersecurity, for security responsibility falls on everyone. Factually, if you don’t know how you fit into the security of your organization, your organization has a problem.
The trend in the right direction began with training employees on security basics as they relate to everyday users. They were trained not to click on suspicious links, not to open or download attachments from unknown or untrusted senders, and to keep a sharp eye out for phishing attempts.
It needs to go further than that, though. Each individual user needs to become aware that they are an intricate part of the security of the organization. If they don’t take this responsibility upon themselves, they will always be the weakest link—and users are often the weakest security link in an organization.
Examples
The truth is every single part of the organization has a security function. Every senior executive, and all who report to them, must be able to answer the question of where they fit into the security of the organization. If they can’t answer that question, it’s not because they don’t have such a role, it’s because they don’t know what it is, and they need to find out.
A great example of right and wrong security roles is how a company faces the public following a breach. The pressure at such a time will be intense for the company to make some kind of statement. Oftentimes the pressure of the moment forces a company spokesperson to say the wrong thing.
A company’s CISO, or other security personnel, is probably the wrong choice to talk to the press following a breach. They might be so excited about the technical details that they say something that should never be said in the first place. The security team is certainly responsible for understanding the root cause of any breach, but they’re usually the wrong choice for external communication.
Legal
Legal is commonly thought of as only having responsibility for contracts. When it comes to a heavily security-regulated industry, however, such as healthcare (HIPAA) or financial (PCI DSS or Sarbanes-Oxley), legal must have input into any public statement following a breach. Not doing so might make a company internally vulnerable or liable. In cases of companies that aren’t as regulated, it’s still a very good idea to include Legal in the conversation.
Marketing communications
When it comes to public statements, marcomm must play a central role. The wrong time for a company to scramble and figure out a communication plan for a security breach is during that breach. The company needs to know what to say and when to say it, so that they’re not saying the wrong thing.
Marketing
Marketing is, among other things, all about the company’s brand. In the case of a security breach, the company’s going to need to understand how it will impact their brand. Think of marketing as the “brand protector.” Marketing will need to be consulted so that impact on the band is minimized.
For anyone simply researching your company, there should be a statement about how your company deals with security. That, too, would be crafted by marketing, and placed by them on the company’s website.
Marketing may not be responsible for the underlying technical content when it comes to cybersecurity, but it is responsible for the shape, look, and feel of how the organization expresses itself externally.
Public relations
Then there is PR who will have a vested interest in getting ahead of any story and reaching out to the right resources. In a breach, it will be PR, using all their contacts, helping shape the story in the right way.
Sales
A salesperson also has a very important place in the cybersecurity of the company, for they are often the first person in your organization with whom an external party will interact.
As part of the sale of a product or service, especially an app or another product in the technology sector, peace of mind regarding security will certainly take a front and center position. If a salesperson cannot confidently articulate how the company deals with cybersecurity — and more broadly, how the overall market is currently addressing cybersecurity — they might very well lose a deal, even if the company’s cybersecurity is top-notch.
Cybersecurity in Every Business Function
Company leadership can look at every function of a business and ask the question: how does cybersecurity impact this particular role and responsibility? How can we make sure that this person is armed with the right information so they can be successful with any kind of interaction they’re likely to have relating to security?
When you think of cybersecurity strictly as a function of the security team, you’re looking through a narrow lens and have missed the picture. If the first thing you do in considering security is point the finger at the CISO — turn that finger around and point it at yourself.
Inclusive cybersecurity for the whole organization should be Alert Logic’s Managed Detection and Response (MDR) solution.