Distributing Security Responsibilities (Responsibly)

COMMENTARY

Love it or hate it, cybersecurity compliance continues to be top of mind across private organizations and federal bodies alike. With new regulations on emerging technology continuing to be developed and introduced, even the US Senate is proposing legislation to streamline federal cybersecurity regulations. 

Regulations offer security leaders leverage for improving processes and strengthening accountability for cybersecurity throughout the organization. However, new compliance requirements also increase the burden of making sure the security program meets the requirements of all external stakeholders. Many chief information security officers (CISOs) must simultaneously navigate the need to contain costs, increase trust, improve security, and support the business while maintaining compliance. 

Supporting cybersecurity compliance requirements is particularly challenging for today's security leaders because they don't control all aspects of security in the organization. Employees across all departments make decisions each day that impact the security of the organization's data. CISOs can harness a distributed responsibility model to address security and compliance needs, but they must do this in an intentional way. The key is to make sure all internal stakeholders understand the role they play in the organization's security program and hold them accountable for their responsibilities.

Clarifying Expectations Beyond the Security Team

It's true that security teams have the specialized knowledge that colleagues in other parts of the organization lack. That's why such groups monitor for suspicious activities, identify and track vulnerabilities, ensure that the necessary security measures are enforced, and provide security guidance.

When designing security programs, however, CISOs must also document the expectation that all employees across an organization must do their part in safeguarding the company's systems, applications, and data. This goes beyond the employees merely maintaining the vague sense of awareness emphasized by the requisite security awareness training. 

The CISO should lead the effort to clarify the security responsibilities that extend past the security team. Methodologies such as the RACI matrix help capture who should be responsible, accountable, consulted, and informed for specific security-related tasks. Even if the resulting matrix isn't perfect, the discussions that lead to its creation surface responsibility gaps so organizations can address them. 

Enforcing Accountability Across an Organization

It's unreasonable to expect that employees — especially those without security training and expertise — will always make the right decisions when it comes to data protection. CISOs can mitigate this risk by deploying technologies that make it easier for employees to perform their work securely. For instance, security leaders can define configuration templates that disable unnecessary features or enable security capabilities. Another example is automatically enrolling accounts with multifactor authentication (MFA), rather than requesting that each employee elect to apply these safeguards. 

While mandating MFA minimizes the opportunity for noncompliance with security expectations, automatic opt-ins like this aren't always possible. Security leaders should also establish guardrails against severe risks resulting from decisions that are outside the boundaries the organization considers reasonable. The use of network security measures like DNS filtering, for example, restricts access to dangerous website categories, in turn decreasing the likelihood that an employee unknowingly interacts with a malicious online resource. 

In addition, the security team must monitor for gaps in security and take action when issues arise. Security event aggregation and continuous compliance monitoring, which automates the tracking of security controls, along with modern asset management approaches, are pieces to this puzzle. 

Making Security Responsibilities Personal

To ensure that people outside the security team pay attention to their security responsibilities, security leaders should look for ways to establish a personal connection between the individual and the data or system they help protect. For example, employees typically feel a sense of ownership over the laptops and files they use on a daily basis. Therefore, the CISO can highlight that connection when discussing endpoint-related security measures that depend on the employee, such as manually updating software that isn't centrally managed by the organization. 

Just like personnel outside of security should understand how their security responsibilities apply to the work they do, the people on the security team need to understand how their responsibilities aid the organization as a whole. What business initiatives are supported by the work that the security team is doing? Understanding this connection will not only motivate the security personnel but also allow the security leaders to have the business context when collaborating with colleagues throughout the organization. 

Security leaders will amplify their powers and motivate others to do their part in securing the organization by aligning security responsibilities with the personal interests, affiliations, and objectives of all stakeholders.

Empowering Everyone to Do Their Part

There is power in numbers; outlining the wider organization's proactive role in fortifying the security program allows the security team to focus on the most pressing issues that only they can solve. Helping employees understand the role they play in the security program will prevent coverage gaps, avoid misunderstandings, and ensure that the right processes are in place for a security program that supports the relevant compliance requirements. 

Security teams play a key role in safeguarding their organizations. This includes empowering colleagues in the wider organization to do their part and making sure they understand their roles.