Organization Roles and Accountability

This section is central to holistic security, addressing the whole organization. It looks at responsibilities undertaken directly by staff or appropriately delegated and outsourced to third parties.

No Shared Responsibilities

So, who is accountable for all this security stuff? Of course, we have been fed that “Teamwork makes the dream work,” and that the whole organization shares the responsibility for revenue generation, customer satisfaction and now security. Well, great, but the author believes a better approach to all these issues is for each individual, employee or otherwise, to take on 100% responsibility for security throughout – not just where their own little piece stops. It’s a mindset shift that transforms companies.

Just to get your attention, board chairs, CEOs and presidents: I love this point made by John Kindervag, creator of the Zero Trust movement:

• CEOs fire their IT, security & department heads if ransomware happens.
• CEOs get fired by the board when data breaches happen!

This work’s biggest challenge is to get active buy-in to holistic cybersecurity as an executive level imperative. According to Gartner Cybersecurity is seen as such by 88% of corporations. That’s great but (a) the perception is that it’s just an IT problem and (b) the survey is focused on the biggest companies.

Security Policy

Now we have your attention, let’s get to the number one priority for the executive team: creating and executing an organization-wide security policy. No matter how large or small you are, if you don’t have one, then stats and surveys say that you will likely lose this game. The heart of the people & organizational issues to be addressed are around commitment and integrity – ensuring that the work is whole and complete.

• Most attacks happen because people don’t have security policies or have policies not driven from the top of the organization. Perhaps they haven’t adopted container security or DevSecOps, best practices. Think of DevSecOps as having a parrot in the room that only knows one word (Security) and won’t shut up.
• If they had policies, they were often manual, not automated, not actually followed and not policed, for example not applying the latest software or security fixes, etc., as previously covered.
• For GDPR/CCPA, the privacy policies were just words on a web site and actual implementation was not policed and not kept current.

It’s likely known that it’s essential to develop, implement and execute an organization-wide security policy. Yet they often don’t exist or are not executed for three critical reasons. All of which are addressed in this work:

1. • You can’t commit to the cost of creation and execution of a security policy without curating your assets, assessing the value if protected or lost and assessing the risk of their loss/theft.
   • You can’t assess the risks of losing your assets without having and executing appropriate security policies that can be sensibly implemented in your organization.
   • Even if this dilemma is handled, you also need to have a model for the sensible adoption of any new disruptive technologies or new management organization.

It’s not surprising therefore, that Cybersecurity is just an irritation, thought of purely as an IT issue with the appointed CSO, IT person responsible for it all and no ownership of the issue beyond that. “Get on and deal with it and don’t interrupt the business. Give us a regular report and we’ll try to look concerned and interested.” Ditto GDPR statements posted publicly or put on a web site are mostly – to put it politely – positioning. Even the word “policy” can be sleep-inducing which is why I considered not putting it in the title of this section!

To transform this situation and create lasting impact for the organization, we next address security policies: policies, roles and commitments.

What is a Security Policy?

It is usually regarded as a high-level view of what should be done with regard to information, and physical security.

“It’s the baseline that executives use to define what is secure enough for their company,” says Bryce Austin of consulting firm TCE Strategy and the author of the book Secure Enough: 20 Questions on Cybersecurity for Business Owners and Executives. He explains that it’s not “supposed to solve all the problems, it’s to declare the problems you’ll take on – and to provide guidance on how seriously you take them.”

However, to be effective, yes, it may begin with high level statements but must also include a top-down approach where each relevant department person, supplier or partner takes ownership of security as it relates to their role and accountabilities and be measured as part of what corporations love to call Key Performance Indicators (KPIs).

Simple Overall Security Policy

1. Assess critical business assets
   • Curate, measure for value if protected, lost or stolen.
2. Assess risks vs. asset value.
   • People, data, information
3. Assign & delegate responsibilities, goals, ownership.
   •  All mitigation, including incident response, continuity, recovery and contingency plans, etc.
4. Continuous progress measurement
   • Report, adapt and re-assess policies, ownership.
5. Executives
   • Permanent report to executive level meetings
6. Chief security officer
   •  Owns overall security policy and its implementation.
   • Reports to the board, president or CEO
   • Organization-wide not limited to IT