It’s as simple as that. You are responsible. No one else is to blame if you have a security problem, whether it is a security attack or a major breach that ends up costing your company a lot of money. You are responsible. This might seem simplistic but really it is not such a simple concept. The famous phrase from Harry Truman applies to you and your company “the buck stops here”.
And that is so true today as it was in 1945. Leadership requires this of you. And you understand this, and take the necessary preventive measures to deal with this right? So why do we have so many successful security attacks in the US? Why do we have so many costly security breaches that company executives are always having to fend off? It should not be that way. Why are you responsible? You’re not a security expert and you’re not an IT person.
The Buck Never Got Here
We are literally in a situation where many times the top executives of a company had no idea about the vulnerability of their current security posture. They just don’t know they were exposed. They didn’t know their first line managers were never trained in any simple security procedures, let alone their individual employees. Think about this for a second. If you were the executive of a large bank, would you make sure that everyone from the lowest position on up is fully briefed, trained, and tested on the security procedures of their position? Would you make sure they stayed updated on a regular basis?
Of course, you would because banks have a several hundred year history of dealing with serious security breaches. These are called bank robberies. And over time they have figured out a very important concept. Everyone is involved in the security process not just some security guard or security service. Or even a security officer. So why is it in the rest of industry we think that security is the responsibility of some guy in the IT department, or maybe the security guy in the IT department if you have one?
Security Is For Everyone
Yes the people most likely to secure your data, are the people who work with that data every day. They know it. These people know its weaknesses and strengths. They know what your data’s real value is. The guy in the IT department or an IT or security vendor can never know as much as the person who works in that specific functional area. Still, the question is why do we do it this way? Simple the security threats we are dealing with now are unprecedented they are beyond anyone’s imagination just 5 years ago. And they are getting worse.
Simply put we are playing catch up and the bad guys are already on the field and have years of experience ahead of us. And when we figure something out, we have to play catch up for the next exploit. It’s like running a race when you weigh 300 lbs, and your competition is Yousain Bolt. So if we want to stop them. Or even better prevent them from getting on our playing field in the first place. We need to take responsibility for our security. Once we do this then we can distribute this belief down to the rest of the organization just like we do with any other policy level problem.