If your organization is large enough to have an information security manager or an entire security team, then it’s likely that any security issue or task will be pushed in their direction. That’s why you hired them, isn’t it?
Security is a specialized area of IT and it requires specific skills for a holistic approach. It is also a moving target with many components and attack vectors across your technology stack. A dedicated security team or individual, whether in-house or contracted, can therefore be valuable. But security must be a shared responsibility among every user, no matter their role.
There’s an inherent problem here and its name is Diffusion of Responsibility. When everyone has a stake in security and there are dedicated managers to boot, users could be more likely to engage in risky behavior. After all, it’s taken care of! That’s why we hired that security guy.
There are reasons why your IT staff (and indeed other users throughout the organization) may neglect security in their daily duties, even when working with critical IT systems and data. They include:
These factors and others lead to an overall perception that security is a problem for the Infosec Manager or department, despite user activity remaining one of the largest contributors to vulnerabilities. When security responsibilities are clearly communicated to all users, not only are attack vectors like phishing and social engineering less likely to succeed, but security problems are more likely to be discovered earlier. For example, an engineer might realize a patch is needed or a developer might recognize a vulnerability within their code.
The earlier a vulnerability is discovered, the simpler (and cheaper) it is to remediate. It is therefore essential for your IT units in particular to be looking for security vulnerabilities throughout provisioning, implementation, and testing, with DevOps processes inclusive of security posture throughout the entire cycle.
A major component of information security is user training and awareness. This, combined with tight integration at every stage of infrastructure and service design and deployment, helps drive home the message that information security is everyone’s responsibility. All the proactive measures in the world won’t save you if your users are inviting attackers inside your perimeter.
While most people are receptive to the potential monetary and reputational damages brought on by a security breach, the diffusion of responsibility also means someone is ultimately likely to ignore their training and forge ahead with risky behavior.
Regular (at least quarterly) mandatory security training for general users is a good start, but too many warnings and reminders can lead to security fatigue and resentment. For the IT staff, implementing security at every step and every level as part of your continuous improvement or DevOps adoption strategy is a great way to maintain security posture throughout your environment.
The true answer to security diffusion is a combination of team effort and individual responsibility. You must decide and keep track of:
Aligning your security team with the owners of systems and data as determined by these questions is key. Security must be involved when these systems are provisioned and at regular intervals once they are in production.
The system owners are responsible for determining the level of security needed for each component. They work with the infosec team to implement the technical aspects of security and to communicate out to other teams any security considerations for the software, hardware, or service in question.
Regular reporting and training must go all the way up to the CSO, CIO, CTO, and CEO as applicable to your org chart and workflows so the C-suite has a stake (and adheres to security policy themselves). Ultimately risk management becomes an active practice for all stakeholders. Those at the C-level should understand their own liability the best and help foster a holistic approach to security that mitigates not only technical vulnerabilities but also the threat of diffuse responsibility.