The slogan “safety is everyone’s business” is not new. I’ve recently heard several IT managers state: cybersecurity is everyone’s business. They are right. Everyone needs to take responsibility and contribute to cybersecurity. But the responsibilities in this area are shared between three parties: the executive leadership team, the IT team and the rest of the teams.
Usually, when the IT or IT security manager tells me “cyber security is everybody’s business”, the next phrase is “no one is taking their responsibilities” or “it’s up to them to do what is necessary”. Let me explain what shared responsibility is all about. I will use the example of health and safety, which has been managed for many years in all organizations. Finally, you will find real-life examples: passwords, phishing and restriction of rights on my computer.
Health and safety governance
For the past 100 years or so, organizations have had to ensure that their teams are healthy. This is usually a legal requirement. Management committees set up a health and safety department. This team leads risk analyses, tracks and analyzes workplace injuries and accidents. They are responsible for the risk management process. Based on their analysis, they decide which measures will best protect everyone. They write policies and provide resources, such as personal protective equipment (PPE), to ensure safety.
However, if they provide the means, they are not responsible for the application of the measures. In fact, it is up to each and every one of us to take responsibility and wear our PPE. The health and safety team cannot stand behind every worker and check on compliance. Hence the famous slogan: safety is everyone’s business!
Front-line managers have a responsibility to explain the measures, create meaning and remind people of the instructions if necessary. Human resources often have policies to support managers when some people refuse to implement safety measures.
But in the end, it’s up to each and every one of us to make sure we wear our PPE, respect the safety measures in effect and remind colleagues who forgot to put their helmet back on after the break.
The sharing of responsibilities between the executive leadership team and the IT department
It’s exactly the same with cybersecurity. Although it is everyone’s business, it is the executive leadership team that has the leadership and gives the means to the IT (or information security) department. The latter conducts risk analyses and determines the measures required to protect the organization. It finds and implements technological solutions and writes policies. The executive leadership team approves them and follows up on the information security risk register. Just as it monitors financial, operational and of course health and safety risks.
Cyber Risk Awareness and Training
Cybersecurity ensures the security of data and systems. It is much less tangible. Today, everyone understands that catching a heavy object on the foot can break it and that noise can damage hearing in the long term. Health and safety teams have been doing risk education.
Cybersecurity risks are much harder for teams to grasp because their impact is indirect and intangible. For example, writing my password on a post-it note or emailing it to a colleague doesn’t seem to have as much impact as using a chainsaw without gloves.
So the IT security team has a lot of educational work to do. They must take a proactive approach, listening to the organizational needs. Their expertise is to put the risk environment into perspective with the reality of their organization and each sector. As in health and safety, the measures do not apply blindly to all, but are adapted to the risks in each sector. People who travel with their laptops abroad do not have the same risk profile as those who use a shared terminal on the organization’s premises. It’s everyone’s business, but not in the same way.
Above all, IT security needs to get everyone to understand why cybersecurity is important to the organization. There are many awareness programs. But today, I think we need training, because the risks are too great. They may differ from one sector to another. A one-size-fits-all approach will not yield the best results.
Three complementary responsibilities
On its side, IT security teams must ensure that they understand the value delivered by the organization. They must do everything possible to support the creation of value. At a minimum, they should not impede operation and increase constraints unnecessarily.
On the other side, the rest of the organization will always tend to rely on the experts… “I don’t need to think about it, we have a team that takes care of it”. That’s true, but it’s a support team, which facilitates. The operational teams must take responsibility for a number of actions, in particular compliance with policies.
Cooperation is the key to keeping the organization safe. Theexecutive team is responsible for providing leadership and delivering key messages to ensure good cooperation and, most importantly, strategic alignment.
How do you explain that cybersecurity is everyone’s business?
I suggest an 8-step action plan to better share responsibility.
- Understand your organization’s value chain
- Identify your critical operations and data
- Conduct a risk analysis with the operational teams
- Define the actions to be taken to reduce the risks deemed unacceptable
- Put in place the necessary technology and processes
- Train teams on security: what we protect (point 2), why (point 1) and how (point 5)
- Check that everyone is behaving as expected
- If necessary, continue meaning-making and training efforts
Metaphors to explain cyber risks
IT security teams are sometimes a bit far from the reality of the field. They forget that for many of their colleagues, technology remains a complex and unknown universe. I’ll give you some examples of real-life metaphors to help teams understand.
Passwords and other means of authentication
When we give you access to data and systems, with a login, password and strong authentication, it’s like being given the keys to the company, you have to treat them like the keys to your house or car.
If you are asked, you don’t give them. If you receive repeated requests, inform the IT department. Just as you would inform the police if someone asked you for the keys to your house, for whatever reason.
Uber suffered such an attack in September 2022, with a hacker posing as a security team member and asking to accept strong authentication.
Digital crimes: phishing and social engineering
Crime has always existed, but today its form has changed. Not so long ago, we took basic precautions when someone knocked on the door or when we received a letter or a message on the answering machine. We knew that these unexpectedly won trips were just a way to get something else. We prevented the salesmen or surveyors from looking in the house, for fear that they would assess the value of our goods and the potential for a burglary.
Today, cybercriminals seek to gain access to the system (the house), through various means, such as phishing or social engineering. We all need to protect access to our systems and data.
Restricting rights on my computer
You complain that you cannot install anything on your machine. But in factories, no one can modify industrial equipment without asking for permission. Safety and reporting of problems is everyone’s business, but corrections and decisions are limited to the maintenance department.
Even if it is not immediate, the requests are accepted, to facilitate the work. But it is specialists who ensure that the modification is safe. They have an overview and knowledge of the operation of the machines that the field teams do not have.
If the proposed change is not possible, they can suggest other solutions to make everyone’s job easier.