Op-Ed: Employees are not responsible for cyber security, the C-suite is

Directors and C-suite executives must assume more responsibility for cyber security. This will not only better position their organisations for these policy shifts but also result in better cyber security practices as the burden is lifted from employees battling increasingly sophisticated hackers.

Two policies collide

As reported extensively by Cyber Security Connect, the federal government aims to make Australia the world’s most cyber secure nation by 2030. It’s easy to see why. Private tech industry polling indicates almost nine out of 10 Australians want strong action on cyber security. Voters expect it, and progress is being made.

It’s been six months since Minister for Home Affairs and Minister for Cyber Security Clare O’Neil unveiled the government’s new obligations on critical infrastructure and essential services as vital to the security, prosperity and sovereignty of Australia.

Directors of these companies are now culpable for failing to adequately secure assets in the energy, healthcare, water, food transport, and communications sectors.

The government has been careful to emphasise that the punitive measures will be reserved for the most serious failures to improve standards and practices. The Cyber and Infrastructure Security Centre has commenced work on the Critical Infrastructure Resilience Plan to make it easier for organisations to lift their game. It’s broadly understood that this is a bit of a wink and a nod that if you do your homework, you’ll be afforded discretion when things go wrong. That’s appropriate.

There’s a similar dynamic emerging with the government’s ongoing consultations to amend the Privacy Act in the wake of a series of ransomware attacks. The Tech Council of Australia has proposed a tiered penalty system, which again would allow for flexibility based on severity. But more pointedly, proposal 25.2 seeks to amend section 13G of the act to include a variety of conditions, particularly “serious failure to take proper steps to protect personal data”. Again, this is building discretion into the system.

Now, let’s return to the approach of organisations to reduce cyber security risks and the case they will put to the authorities in the wake of a cyber security incident. Does anyone seriously think the government will accept the excuse, “Well, we told our employees to be careful because cyber security is a collective responsibility”?

VIEW ALL

Good luck with that.

Collective responsibility has been exhausted

Readers of this publication will know this isn’t happening in a vacuum. The European Union’s General Data Protection Regulation looms large over both of the federal government’s policy efforts, while the White House wants to shift the responsibility for cyber security away from individuals and small businesses to the holders of personal data. Legal responsibility is shifting away from the end user, and cyber security strategies will have to shift with them.

This isn’t just a compliance issue – it’s about better results for all stakeholders. There’s a growing realisation among Australia’s company leaders, particularly its technology leaders, that the age of “everyone’s responsible for cyber” is over.

Because it didn’t work.

It’s all well and good to say employees need to take responsibility for cyber security risks because everyone is a point of weakness. However, employees might be facing heavy workloads and are not in a position to receive the endless training required to keep up with the ever-evolving techniques of hackers. In our experience, their key performance indicators (KPIs) do not and will never align with cyber security risk. They have other priorities; they’ve given all they can give.

With this history, the question of who bears cyber security responsibility invariably leads to the directors and the C-suite. It’s not just a matter of legal jurisdiction; it’s about fostering a cyber security ethos, engraving accountability into the corporate DNA, and instigating a fresh culture of conduct.

In our experience, organisations that adopt this approach meet the Australian Signals Directorate’s Essential 8 strategies to mitigate cyber security much faster and more fully than those working from the bottom up.

Leading by example and backing up the new top-down cyber security culture with the necessary investments to protect employees will put the organisation in a much better position to minimise cyber security risks and empower their employees to do what they’re supposed to be doing – fulfilling their KPIs while doing only as much as could be reasonably expected of them to minimise cyber security risk.

Shane Maher is the managing director of cloud and managed services provider Intelliworx.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.