Information Security is Everyone's Problem -- and That's a Problem

If your organization is large enough to have an information security manager or an entire security team, then it’s likely that any security issue or task will be pushed in their direction. That’s why you hired them, isn’t it?

Security is a specialized area of IT and it requires specific skills for a holistic approach. It is also a moving target with many components and attack vectors across your technology stack. A dedicated security team or individual, whether in-house or contracted, can therefore be valuable. But security must be a shared responsibility among every user, no matter their role.

There’s an inherent problem here and its name is Diffusion of Responsibility. When everyone has a stake in security and there are dedicated managers to boot, users could be more likely to engage in risky behavior. After all, it’s taken care of! That’s why we hired that security guy.

The Perception Problem

There are reasons why your IT staff (and indeed other users throughout the organization) may neglect security in their daily duties, even when working with critical IT systems and data. They include:

• Lack of knowledge and specialization. Security can be highly specific to the individual environment, with different tools and approaches focused on the code language, level of the IT stack, user permissions, network access, and many other factors.
• Lack of a security mindset. It takes a certain kind of person to be an infosec pro, one that hunts for flaws and thinks like an attacker.
• Security fatigue. There are myriad attack vectors and new vulnerabilities every day – often too many for non-professionals to keep track of.
• Convenience. Let’s face it. Your users simply can’t be bothered. They have work to do! Or they might think they know better (“Oh, this link is definitely safe to click.”)
• Emphasis on speed and time to market. In the development world especially, the focus on shipping new features can outweigh security risks. However, this spreads to other departments too. Everyone is focused on accomplishing their task as quickly as possible, often with little regard for policy if it can be avoided.

These factors and others lead to an overall perception that security is a problem for the Infosec Manager or department, despite user activity remaining one of the largest contributors to vulnerabilities. When security responsibilities are clearly communicated to all users, not only are attack vectors like phishing and social engineering less likely to succeed, but security problems are more likely to be discovered earlier. For example, an engineer might realize a patch is needed or a developer might recognize a vulnerability within their code.

The earlier a vulnerability is discovered, the simpler (and cheaper) it is to remediate. It is therefore essential for your IT units in particular to be looking for security vulnerabilities throughout provisioning, implementation, and testing, with DevOps processes inclusive of security posture throughout the entire cycle.
 

Keeping Everyone On Board

A major component of information security is user training and awareness. This, combined with tight integration at every stage of infrastructure and service design and deployment, helps drive home the message that information security is everyone’s responsibility. All the proactive measures in the world won’t save you if your users are inviting attackers inside your perimeter.

While most people are receptive to the potential monetary and reputational damages brought on by a security breach, the diffusion of responsibility also means someone is ultimately likely to ignore their training and forge ahead with risky behavior.

Regular (at least quarterly) mandatory security training for general users is a good start, but too many warnings and reminders can lead to security fatigue and resentment. For the IT staff, implementing security at every step and every level as part of your continuous improvement or DevOps adoption strategy is a great way to maintain security posture throughout your environment.

The true answer to security diffusion is a combination of team effort and individual responsibility. You must decide and keep track of:

• Who takes ownership of our most critical systems and data?
• Where is that critical data located?
• Which teams and individuals control security for each component of the IT stack? This can be the infosec team or it can be the admins and engineers working with it daily.
• What exactly constitutes critical systems and data vs. non-critical?
• Who is held accountable for security risks or breaches?

Aligning your security team with the owners of systems and data as determined by these questions is key. Security must be involved when these systems are provisioned and at regular intervals once they are in production.

The system owners are responsible for determining the level of security needed for each component. They work with the infosec team to implement the technical aspects of security and to communicate out to other teams any security considerations for the software, hardware, or service in question.

Regular reporting and training must go all the way up to the CSO, CIO, CTO, and CEO as applicable to your org chart and workflows so the C-suite has a stake (and adheres to security policy themselves). Ultimately risk management becomes an active practice for all stakeholders. Those at the C-level should understand their own liability the best and help foster a holistic approach to security that mitigates not only technical vulnerabilities but also the threat of diffuse responsibility.