Are we seeing a shift in who is – or at least feels -- responsible for cybersecurity inside the workplace?
According to Trustwave’s 2017 Security Pressures Report, the answer is yes, a shift is happening, especially in who is putting the pressure on staff for improving cybersecurity efforts. Security is becoming more personal, the report said, with 24 percent of respondents citing pressure exerted by oneself to deal with cybersecurity, which is up 13 percent over last year’s report. Nearly half of the respondents did admit that they feel the pressure from executives and boards of directors, but that number is down 13 percent from last year.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
If I just looked at those numbers isolated from the rest of the report, I’d say there is definitely a change in the air. So why is this shift happening? In a formal release, Chris Schueler, senior vice president of Managed Security Services at Trustwave, said:
Findings show that the pressures cybersecurity professionals face have become much more personal than in previous years, as executives recognize that pressure does not translate into better performance – instead it may lead to stress, burnout, and faults. In an era where security talent is at a premium, organizations cannot afford to lose these skilled individuals.
I don’t disagree with this, but more is at play than leadership recognizing the pressures and the risks of losing skilled professionals. Executives and those charged with handling security still don’t see eye to eye about who is responsible for protecting the data. According to a BAE Systems study, each side points fingers at the others, saying they are in charge. As Beta News reported:
According to the research, a third (35 percent) of C-suite executives believe IT teams are responsible for data breaches. On the other hand, 50 percent of IT decision makers would place that responsibility in the hands of their senior management.
While I like this idea that security has become personal – it means that someone is taking ownership for cybersecurity – I also believe that within an organization, security has to be a shared effort. Everyone needs to step up and stop expecting someone else to take the responsibility. One of the results of the Trustwave study found that the percent of respondents who keep all security operations in house has dropped from last year. Turning to outside security partners shifts that pressure from everyone in-house, freeing them up to perform their actual job duties but not absolving them from being an active participant in cybersecurity efforts. As Schueler said:
My advice to those facing these pressures head on is to no longer think of security as a siloed discipline. To build a successful security program, you must establish both internal and external allies. Partnering with a managed security service provider can help compensate for and amplify areas of your security program that you find too complex or lack the internal resources to address.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba