top of page
Search

Cybersecurity: A Shared Responsibility

Updated: Feb 13


shared, everyone

What does “shared responsibility” mean to you?

What are the few responses that come to your mind when you ask that question? When I ask myself the question, I have more follow-up questions before I start to unravel the concept of shared responsibility.

  • What responsibility am I sharing?

  • Who am I sharing the responsibility with?

In cybersecurity, shared responsibility is complex and controversial. Everyone has their own opinions and views of what it means and what should be done. Since cybersecurity is often seen as an extension of IT or Engineering, the responsibility most of the time is IT or Engineering. However, that is not entirely true. Everyone in the organization contributes and is responsible for making everything secure.


First Thing First - Top Management Buy-in


Board, C-Suite, Executives

Everything starts from the top: C-suites, executives, and board. They are responsible for every business decision, so why not cyber-related? Why do they try to wash their hands from anything cyber?

“Complexity is the failure of execution.”

In my experience, the answer is fear and uncertainty. Executives, either due to a lack of technical understanding or complexities in technological solutions, feel overwhelmed or maybe incompetent to address cybersecurity issues. However, without their buy-in, cybersecurity experts have a tough road ahead of them to get things done that will protect the organization from threats.


As heads of departments, CISOs, and cyber experts, our first task in hand is to simplify the cybersecurity language into something most people understand, including top executives, boards, and C-suites.


Risk-Based Approach


risks, risk mitigation

Most everyone has a basic understanding of what a risk is. Therefore, when the cybersecurity program is built on risks, everyone from top management to operational teams can relate to their daily job duties and can incorporate the requirements within their processes to address them.


The list below gives you a perspective of the different areas where risk exists and must be managed in order for the success of the organization. As there are different types of risks and they come from different parts of the organization, they are not managed by one person or team.

  • Financial Risk

  • Regulatory Risk

  • Technical Risk

  • People Risk

  • Vendor/Third-Party/ Supply-Chain Risk

  • Privacy Risk

  • Performance Risk

  • Environment Risk

  • Geographic Risk

  • Business Continuity Risk/Geographic Risk

  • Change Management Risk

  • Operational Risk

  • Reputational Risk

  • And more….

Putting a risk-based approach allows the organization to prioritize focus on what is critical, not everything.


Depending on the framework an organization chooses to implement, all frameworks inherently rely on risk identification, analysis, and mitigation for building a cybersecurity program. ISO 27001 ISMS builds itself on ISO 27005 risk analysis and ISO 31000 risk management; NIST Cybersecurity Framework relies on NIST 800-30 for risk management. Even the regulations such as GDPR, HIPAA, etc., emphasize a risk-based approach to privacy and security by design.


Based on the organization’s structure, different teams will be handling different risks, thus sharing the responsibility of the program.


From Strategic to Tactical


Level

It is important, as risk managers and “guardians” of cybersecurity in an organization, that we manage and communicate the risks appropriately. Not all risks and cybersecurity issues need to be communicated to the top management; however, some do. At the same time, decisions and directives need to be communicated at the operational level so that the teams can take required and timely actions with respect to the decisions made.


For a startup, as an example, management can decide to introduce a product or service in the market; for bigger organizations, it can be expanding to new markets or merger or acquisition. Each decision comes with risks and actions that everyone in the organization must perform to make the company successful. If an analysis of the decision results in exposure of substantial risk to the health of the organization with respect to data breach and regulatory fines, then the operational teams need to escalate the analysis, associated risk, and potential mitigations higher up the food chain, facilitating in decision-making by Corporate Boards and Executives.


Measure Everything, KPIs and KRIs

Only what gets measured gets managed!

A program, including a cybersecurity program, comprises of processes, subprocesses, and deliverables. A successful program, in its process, subprocesses, and deliverables, includes performance and risk matrices, allowing managers to govern the program efficiently and in a timely manner.



measure

Measure and monitor every area of the program. Again, it doesn’t have to be done by one person, but ensuring that everything is measure is important. As the program ages, you will end up with measurement over time of the effective program. The analysis will provide the basis for the decisions made to improve the security posture of the organization.


Let us take, for example, a process – Security Awareness Program, which is a key component of Cybersecurity. How do you measure that this program is effective in your organization? Do you check for the performance of the program by asking the following questions?

  • How many employees attend the awareness sessions?

  • How many sessions in a year are scheduled and when (what time of the year)?

  • Are the programs relevant to the audience?

  • Do the actions of the employees alter after these sessions? If so, how much?

  • Does the content of the sessions reflect current scenarios and market trends relevant to the business?

  • Are the sessions passive or interactive?

  • What can be done to make these sessions interactive and engage the audience?

Not only do these questions reflect the performance, but they also highlight the risks in the programs. However, only when there are measurements with each question asked will the risks be visible.


Taking the same example as above, let us elaborate on 1 or 2 questions.

  • How many employees attend the awareness sessions? Total 1000 employees in the organization

    • If more than 90% or more attend, the program is a success.

    • If more than 75% or more attend, the program is good. It would be better if the attendance could reach 90%.

    • Anything less than 75% requires attention.

  • How many sessions in a year are scheduled and when (what time of the year)? Two annual sessions – one in spring and another in fall/autumn, four quarterly sessions on specific topics such as phishing, ransomware, challenges with working from home, etc.

    • Are there too many sessions that impact the attendance?

    • Are the employees attending for the sake of attending?

    • Does the summer session have lower attendance than other sessions in the year?

    • Are these sessions for all employees?

    • Will the company benefit if they reduce the number of sessions but make them audience-specific, such as for marketing-only, for developers, etc?

Sometimes you must ask more questions to provide measures and, thus, evaluate the program in-depth.


These are just a few questions to begin the process of measuring the performance and risks of the programs put in place. Ask what and, why, how shall proceed. Each area of cybersecurity requires specific questions to be asked when looking into the performance and risks.


There are many teams and people involved, sharing the responsibility of building and governing an effective cybersecurity program.



Maturity and Accountability


Good KPIs and KRIs lead to the maturity of the program. The quality of questions asked while measuring the program’s growth, effectiveness, and success improves as the program matures. Before we go into detail, maturity is always measured over time.


Draw a line in the sand.

maturity

If a roadmap, such as 3-year or 5-year, is defined, creating a maturity plan becomes easier. However, the plan should be a high-level plan, accommodating the changing environments and operational needs.


The maturity model for the program is like an infant turning into a toddler, then a teen, then a young adult, and then finally an adult. As the program evolves, the risk profile changes, the performance changes, and the mitigations for the risk changes. It is important that processes are continuously reviewed for relevance. It is quite possible that something important during infancy is no longer valid for teenagers or young adults.


  1. Level 1: At the initial level, the processes are ad hoc and unpredictable. Controls are poorly managed, and the organizations react to the issues and challenges.

  2. Level 2: As the maturity grows, the organizations still react to the issues; however, the processes are organized and characterized by projects.

  3. Level 3: At this level, the organizations are starting to turn proactive in their approach, and the processes become more organized.

  4. Level 4: At this level, the processes and controls are measured on performance, KPIs are set and become part of the measurement.

  5. Level 5: As the KPIs and KRIs get stronger, the focus turns to process improvement.


When measuring performance, good and bad both have equal importance. Do not negate the value and importance of bad performance. Bad performance highlights there are risks and opportunities for improvement, which in turn leads to taking actions for mitigation and hence, the growth of the company. Both good and bad performance indicators are valuable.


The maturity of the program is also directly related to RACI – Responsible, Accountable, Contributor, and Informed. RACI is a way to identify different stakeholders for a process and what role they play in it. RACI helps to assign roles and responsibilities to the stakeholders and make them accountable for their tasks and delivery of the objectives.

There is nothing better than a RACI defining shared responsibility.


Summary


Everyone in an organization contributes to the success of securing the assets and crown jewels.

  1. Cybersecurity is a shared responsibility for everyone and starts from the top,

  2. Get the top management buy-in to ensure everyone is onboarded on the requirements,

  3. The success of any program and shared responsibility lies in good communication, and awareness; and

  4. Measure the programs and each step of the program.






51 views0 comments

Comments


Subscribe

Join our email list and get early notifications to our blog releases.

Thanks for submitting!

bottom of page