Who is responsible for your data? Is it the people you gathered the data from? Is it the people who process the data be it credit card data, or patient data, or company information? Maybe it is a subcontractor you have hired that is handling your storage requirements? Or could it be the IT department; are they responsible for you data?
If you answered yes to any of these questions you would be off track. And if like in many cases you are just doing one of these anyway because that is the way it has always been done. Then that would be a de facto yes answer.
You may also think the right answer is an obvious one which is the management of a company are ultimately responsible for your companies data, but that is not really the answer either. You see a company’s management can only delegate responsibility for specific functions. So yes ultimately the management is in a sense that the “buck stops here” mentality that is correct. But there is a more important component that we are missing.
Who Can Do The Best Job?
Many studies have shown that when rank and file employees are given a specific task with a specific goal, they are trained properly they will rise to the occasion and perform the task.
Ernest Shackleton the great explorer of the early last century has been used as an example of delegation control and effective management practices. He had to keep his crew alive and get them rescued from the most unforgiving and harsh environments of the entire planet. He was able to do this without any modern technology, or communications.
The way he did it is one of the most amazing stories of human endurance survival and leadership, but it’s for another day. He completed all of these by relying on his subordinates to take responsibility for their positions, and to perform at the best of their abilities. He inspired, he manipulated, he cajoled, and he shared with them. And they performed brilliantly. The account of his expedition to Antarctica is worth reading.
Trust
When there is an environment of trust and respect, management usually finds that people will step up to the bar. When there is an environment of distrust and indifference, some people may sink below basic standards. I am not saying that every person or every employee with be able to perform the functions needed. But I am saying that most can be managed, motivated, trained to be the good stewards of your companies critical data in more ways than any other party that comes in contact with it.
Think for a minute who knows more about your accounting data? The marketing department, or maybe the IT department? Of course, the answer is the accounting department. So they, in turn, should be responsible for generating or collecting the data as well as keeping it secure. Who is going to know where at the important data for shipping and receiving is? Only that respective department will know for real. In fact, the easiest party to perform the task is the functional department that is working with that data already.
So It only makes sense that these departments are at least partially responsible for keeping the data safe. And this requires trust. So who is responsible for your data? Depends on what department we are in. Think of it this way. Is the IT department or your cyber security specialist going to see someone on the manufacturing floor walk off with a flash drive full of specifications? Are you as the executive going to see it?
Of course not, but if your people in that shop floor are trained on what to look for. They may notice that someone is logged into the wrong workstation nowhere near his normal location. And just maybe that data will not make it into the wrong hands. This is just one example but with the right process and procedures, as well as good intelligent cyber security policies tuned to your specific security posture and line of business you can avoid so many problems.