Recently, the National Institute for Standards and Technology (NIST) released a guidebook draft for cybersecurity stating that cybersecurity is everybody’s responsibility. It is not just the responsibility of the tech support guy. It is the responsibility of the accountant, the janitor, human resources manager and CEO.
According to the draft guidebook, underlying all company operations should be a strong cybersecurity culture. The culture should include the proper mindset among employees. The culture should be created and implemented from the top down, with the company’s leaders setting the tone. The culture should be reinforced with training and awareness events.
Company leaders can include the president, CEO, director, partner, owner, principal, chairman and many others. Many company leaders treat security as if they were immune to security policies. Leaders act as if there were two sets of rules: one set for them and one set for everyone else. The reality is they are the example for their employees.
The example set by leaders is similar to research I recently saw. The research showed that teenagers learn their driving habits from their parents. If they are bad drivers, the kids are more likely to be bad drivers. The same applies to establishing a culture of cybersecurity. Whatever the culture that is set within a company, it must start with the leader.
Leadership should set the overall direction, establish priorities, maintain influence and mitigate risks. According to NIST, the role of leadership, planning and governance is about managing and mitigating overall risks, establishing the framework for governance controls, identifying resources and setting priorities for cybersecurity programs.
Before providing true leadership, a leader must understand the fundamentals of cyber-security. From the leadership perspective, an important aspect is that of risk management. Managing risks within a company includes several categories. I would encourage consideration of these five separate categories.
Technology risks include those of hardware or software failures such as an internet router or operating system failing. Technology risks also include implementing hardware and software that doesn’t meet specifications.
Security risks are the risks that most people think about first in risk management. Security risks include hardware loss, damage, theft, unauthorized access to data or internal systems. Many of the high profile incidents fall into this risk category, but it is only one of several risk categories to consider.
Policy and legal risks include those that correspond to regulation requirements, inability to recover from incidents, and absence of policies and procedures leading to inappropriate use of company assets. Example risks include noncompliance of relevant laws and regulations, breach of license, lack of disaster recovery plan.
Personnel risks are a very large risk area to consider. Personnel risks can include human error or loss of key personnel. Examples include loss of critical skills due to loss of an employee and errors in data due to inaccurate data entry.
Infrastructure risks are those external services that your company depends on. These risks include power, phone, Internet, water, and even a key supplier. Example risks associated with infrastructure is the inability to send email or access the Internet. While it isn’t discussed often, for many companies that I have been associated with, if the internet provider goes down, the organization cannot operate. In some cases, companies will just send the employees home because it is that vital to the company’s operations.
This column has focused on the cybersecurity responsibilities of company leaders and the risks that leaders must consider. Security is the also the responsibility of sales, marketing and communications; facilities, physical systems, and operations; finance and administration; human resources; legal and compliance; and information technology.
NIST points out in its guidebook what should be commonsense to every reader; cybersecurity is the responsibility of everyone. Each category of employee has a significant role to play in the cybersecurity. Cybersecurity should be embedded throughout every business process, such as accounting and sales, instead of being the sole responsibility of one IT function.
The better that cross-department collaboration can be established, the more secure a business will be and the easier it will be to ensure security is entrenched across the entire company.
If you agree that cybersecurity is truly the responsibility of everyone, employees should be empowered to learn, develop and secure their area of responsibility.
That doesn’t mean you should give administrator passwords to everyone in the company. It does mean that you should value your employees’ perspective and consider them an extended cybersecurity force. Cybersecurity is the responsibility of everyone.
Michael Ramage is the director of the Center for Telecommunications Systems Management (CTSM) at Murray State University and serves as the president of the Technology Council of West Kentucky. He can be reached at [email protected] or 270-809-3987.
Originally published in the Four Rivers Business Journal and available at http://www.paducahsun.com/business/journal/tech-council-eyes-regional-it-growth/article_1eebadad-7575-5bf5-bc12-a1e6631cc224.html