Op-Ed: Cyber security should be everyone’s problem – accountability and responsibility aren’t the same thing

There is an uncomfortable contradiction in the idea that cyber security shouldn’t be everyone’s problem, particularly if it is noted in the same breath that “everyone is a point of weakness” – a debatable point itself. Such an ideology is almost dangerous in an age when we know human error and other internal threats are behind most cyber security incidents. It is often said that security is a team sport, but if we are no longer striving to win as a team, then we risk spreading “cyber security should not be my problem” or “I do not have time for this” mindsets among workers whose engagement is already mixed.

The reality is that the C-suite and board – let alone the cyber and risk teams – are not the teams or people that perform all security and risk-related activities. Each function and individual within an organisation is involved in the process, whether through sharing sensitive information with third parties as part of a business process, writing secure (or insecure) code, or applying security patches, to name but a few.

In this context, we are not going to progress our cyber security postures without defining responsibilities and accountability throughout the organisation, but it has to be done at the right time, with the right intention, a supporting framework, and most importantly, the right balance of incentives and consequences.

Sharing is caring

There is no doubt that new legislative efforts globally increasingly point the finger at the C-suite or the board in the hope they will take initiatives to improve cyber security postures but also tackle responsibility faking. Such regulations are pushing them to establish more effective oversight of the company’s top-level cyber security and risk strategy – in partnership with their information security and risk teams – and regularly promote best practices in order to establish a security culture within the company culture.

Globally, appetites also seem to be leaning towards greater personal liability and accountability from this group if cyber security or data loss incidents occur, and this approach seems to be bearing fruits. Our experience and conversations with company leaders reveal a renewed board focus on cyber security, and a large cohort of leaders genuinely committed to making improvements, as reflected in the regular studies showing that it is now a key business priority for which organisations often increase budgets.

But in an age of digital transformation and the cloud, all departments are generating software as a service (SaaS) and software sprawl – and often shadow IT – at a rapid pace, and there is no reason why cyber security responsibility shouldn’t be extended to them if they participate in increasing the organisation’s attack surface. Netskope published a report on SaaS sprawl last year, showing that organisations with 500 to 2,000 employees use an average of 1,558 distinct cloud apps each month, 138 of which are used to upload, create, share, or store data. This figure grows to 204 apps for organisations with 2,000 to 4,000 employees, and 326 apps with more than 4,000 employees.

In many cases, these applications are for specific or limited business use, and for security to keep pace, those departments and teams should know security guidelines and how to handle sensitive data appropriately. The idea that cyber security is better when the C-suite owns the issue and creates a top-down process isn’t wrong, but for reasons of scale and cost alone, democratising awareness and responsibility for security and sound risk management to departments and lower management makes sense, and it truly is the only way to make this practical.

VIEW ALL

Embedding security in the mission

We both held security leadership roles in some of the largest banks and financial organisations in Australia, North America, and Europe. Because they are under more stringent cyber security and privacy regulations due to the nature of their operations, these organisations offer a blueprint for achieving cyber fitness across the entire industry.

Unsurprisingly, effective cyber security requires more than just training and upskilling, and guidelines and policies only go so far. Organisations need to be clear about the differences between responsible and accountable, and explain how responsibility is shared. The idea is to embed cyber security into everyone’s role so that it is more than just an afterthought, but also an element that will measure their performance within the organisation. This translates into attached and tailored metrics and key performance indicators (KPIs) that are tied to performance reviews, or even for roles where security is particularly important, their compensation.

But organisations embracing such models need to ensure the whole process doesn’t feel punitive and that even if there needs to be consequence management when expectations are not met, there also needs to be recognition and rewards when they are, and for those championing better practices. Human beings usually react better to carrots than sticks, and the whole process has to be healthy and feel like an added opportunity to do better rather than a risk of failure within the organisation.

We advocate for the use of recognition programs for individuals who identify potential security issues – within tech or human processes – and bring them to the specialist team to help resolve them. We also deploy tougher approaches, such as blocking non-essential internet activity on work devices until necessary training or system upgrades have been actioned. We also believe that effective security technologies work hand in hand with employees – for instance, providing live AI-powered “in-the-moment” coaching when a user may be undertaking a risky activity.

Employee responsibility certainly cannot be expected to manifest without careful nurture.

When cyber security becomes part of the mission, engagement levels for training and upskilling naturally reach new levels and are not a distraction keeping everyone away from their core work. The idea isn’t to transform everyone into a cyber security expert, but that each element of the organisation knows the risks and best practices associated with their roles. For some, it will be as simple as knowing how to handle sensitive data safely and where it should and shouldn’t be, and for others, how to react to a cyber incident or ensure secure coding. The objective is that training and education always be tailored to the role.

Relieving employees from cyber security responsibility is opening the doors to more risky behaviours within organisations and the chance of data breaches or cyber incidents increasing. Clearly defining responsibility and accountability is also about sharing a spirit of unity in the face of modern criminals targeting everyone without distinction, and who also show a strong ability to gather and share their resources.

Samantha MacLeod is CxO at Netskope and vice-president for risk and security at Culture Amp; David Fairman is the chief information security officer for the Asia-Pacific region at Netskope.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.