Many people when you ask them who protects them from a fire they will tell you the fire department does. If you ask them who protects them from crime, they will tell you the police do. If you ask them who protects them from a medical problem they may say their doctor or the medical system does. But this is actually not the case. In each one of these examples, the person protecting you from these hazards is yourself.
These outside entities assist in your protection. But mostly they are there to fix your problem after it has happened. Firemen come very quickly and spray water on your burning house. Police merely react most of the time to a committed crime. Do not believe me? Think back to an experience of having your house burglarized or your car stolen, or even more serious a physical assault. Did the police stop it? No.
The Real Protection
No, they came in after the crime happened and they took down a report, so you can give it to your insurance company. Are they even going to leave your broken home and run out and start chasing down the criminal looking for clues or putting together a timeline, interviewing witnesses, taking fingerprints? No, they’re not. They simply do not have the time or the money to do this. It is basically up to you.
It is exactly the same with your IT department. They do not have the time or the skilled manpower to discover and protect you from every cybersecurity event that occurs. It is just not in their sphere of capabilities. They have budgets to maintain, customer service issues to deal with, management priorities to accomplish by next Monday at 10:00 AM.
The idea that your IT or IS department is there to protect you is a myth and none of us want to admit it. And this myth, unfortunately, is very destructive. Because it gives us the mistaken belief that we are being protected by some all powerful all knowing outside entity. And that in itself leaves us helpless.
Myths
We have this myth that big brother is watching. I am a member of InfraGard one of the finest national public/private cybersecurity information sharing organizations out there. But they are not protecting you. We are strictly an organization to share our information and best practices, so we can as cybersecurity professionals go back to our clients and help them be a little bit more secure.
So, take charge of your own cybersecurity. Empower your own employees and their department managers. Give them the tools they need to take effective action at a local and very real level. What reporting mechanisms do you have in place? What types of training do you provide for your rank and file employees? The folks at the ground floor, the people in the trenches. They are the ones protecting you.