Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Do We Truly Make Security 'Everyone's Responsibility'?

When everybody is responsible for a task, sometimes nobody takes ownership. Here are three steps to distribute cybersecurity throughout your organization.

Lenny Zeltser, Chief Information Security Officer, Axonius

November 2, 2023

4 Min Read
Two coworkers frown as they troubleshoot a programming project together amid error messages
Source: Panther Media GmbH via Alamy Stock Photo

Question: How do I make sure the saying "security is everyone's responsibility" doesn't lead to people feeling like security is nobody's responsibility?

Lenny Zeltser, CISO at Axonius and Faculty Fellow at SANS Institute: Behind that pithy slogan is the idea that every person in the organization contributes to its security program. Even employees officially on the security team cannot safeguard information assets on their own. It's people outside that team who deliver services, build products, and engage in various business activities that require making security-related decisions.

However, the diffusion of responsibility principle suggests that people feel less responsible when they are part of a group, possibly because they think someone else will take action. The key to combating this is to clarify expectations, hold people accountable, and establish a personal connection between the stakeholder and the affected items.

1. Clarify Expectations

We can use a responsibility matrix, such as RACI, to capture who across the entire organization should be responsible, accountable, consulted, and informed for specific security-related activities.

Cybersecurity leaders generally design and manage an organization's security program, so they need to provide security guidance to other employees. Technical colleagues must incorporate security principles into projects, fix vulnerabilities, and deploy technology in secure ways. IT teams patch systems according to risk-based, agreed-on timelines.

Procurement or legal teams incorporate security reviews of vendors according to a defined process and include necessary security requirements in contracts. HR teams screen new hires according to specific background check requirements.

In addition to documenting expectations and speaking to other business units in their own language, the discussions that lead to creating a responsibility matrix can surface disagreements or coverage gaps, giving the organization the opportunity to address them.

Regardless of department, everyone at an organization is responsible for handling information properly, watching and reporting suspicious activities, and using established templates, libraries, and standards that incorporate company security guardrails.

2. Enforce Accountability

Even with the best intentions, those whose primary job isn't cybersecurity will sometimes forget or not follow through on their security-related responsibilities. To increase the chances that they will remember, we can use a combination of three approaches:

  • Enforce security expectations using technology to prevent insecure choices or actions. For example, configure user authentication to require two-factor authentication (2FA) instead of merely reminding employees to enable 2FA.

  • Implement guardrails against severe risks when people take actions outside the boundaries that the organization sets as reasonable. For example, infrastructure-as-code tooling, such as Terraform, allows users to work freely within preapproved modules while letting engineers control the overall infrastructure.

  • Monitor for gaps and take action when the right security steps aren't taken. Observing security-related activities through log aggregation is a part of this, as is continuous compliance monitoring. For instance, to confirm that background checks occur, we can query HR and background checking systems to detect missed employee screenings.

Of the many security controls, ensuring accountability for patch management is particularly challenging because this practice often distributes responsibilities across multiple teams. Software might be patched by DevOps, IT, developers, external vendors — and even end users. To maintain accountability, for example, the IT team might allow workers to install approved applications that are not centrally managed but track when apps are outdated and remind end users to take action.

3. Make It Personal

Besides communicating expectations and enforcing accountability, another way to fight the diffusion of responsibility is to establish a personal connection between the person and the task at hand.

People get accustomed to the systems they use at work. Many start to think of the company-supplied laptop as "their" laptop. They consider the folders where they keep work documents as "their" folders and the applications they've customized as "their" apps. The security team can use this attachment to highlight the person's connection to such assets, so they're more likely to remember their related security responsibilities. For example:

  • When end users have patching responsibilities for their laptops, remind people that these are their systems. Keeping the laptop in top shape — for instance, by rebooting to apply security patches — lets them do their best work.

  • When people need to remember to include security in projects or design discussions, highlight the benefits of keeping their data secure, which they're more likely to achieve by following a security expert's advice. Addressing security risks upfront will minimize the chances of a disruption to their project.

  • When highlighting the need for colleagues to safeguard data shared with third parties, point out that their interactions might be compromised if they don't follow the necessary security measures.

When sharing security responsibilities across stakeholders, also point to the shared business objectives that the organization's personnel are looking to achieve. To be successful, employees should understand the organization's business goals and how their security responsibilities can help or hinder the company in reaching them. By framing security tasks in that context, you're more likely to establish a security program that does actually make security everyone's responsibility.

About the Author(s)

Lenny Zeltser

Chief Information Security Officer, Axonius

Lenny Zeltser is the CISO at Axonius, a leader in cybersecurity asset management. Prior to Axonius, he led security product management at Minerva Labs and NCR. Before that, he spearheaded the US security consulting practice at a leading cloud services provider acquired by CenturyLink. He also helps shape global cybersecurity practices by teaching at SANS Institute and sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux. He is also on the Board of Directors of the SANS Technology Institute.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights