Security is Everyone’s Business

Published on 19th October 2023 Author: Rob Black

Early this morning, I dropped my daughter off at school – this year, she is officially part of “Safety Patrol.”

It’s a terrific concept: the fifth graders help the younger kids out of the car and walk them to their class. Not only does this provide help for those who need it, but it also builds a sense of community while teaching the older kids about responsibility.

When my son was in Safety Patrol (yes, it is a family tradition), I would sometimes drive my daughter to school (she normally took the bus), just so he could escort her from the car.

Alas, she’s the youngest, which means there are no more kids to drive to school.

Until today!

When I got back to my house, I saw a bunch of our neighbors’ kids waiting for the bus. They piled in and I drove them to school.

My daughter was definitely surprised when we pulled up – she called me “weird” – but I think she thought it was really cool.

Your Cybersecurity Program Needs a Safety Patrol

When it comes to cybersecurity, most people in the organization assume this is handled by IT or engineering. That’s true to a large degree, and those are certainly the people whose job descriptions cover this area.

But if those are the only people with a close eye on security, and the rest of the company remains uninvolved, you are missing a prime opportunity to reduce risk within your organization. Every individual, regardless of where they sit, can play an important role in increasing (or decreasing) security.

For example…

Human Resources. Are background checks being performed? Is off-boarding done consistently and effectively?
Legal. What are our privacy policies? What internal guidelines are in place?
Finance. Have staff been adequately trained to spot invoice manipulation, gift card scams, bogus requests for confidential information?
Customer Support. How do we validate inbound requests for changes to customer accounts?
IT. Who has admin access and to what degree? Does it align with their job responsibilities?
Engineering. How secure is our software development? Are we minimizing product vulnerabilities?
Facilities. Who has building access? Are our cameras, locks, doors adequate?
Marketing. Who has access to customer information? Who is authorized to send messages to our customer list?

You get the picture. The opportunities for security improvements or lapses are everywhere, many of which have nothing to do with technical weaknesses.

And it’s about more than just training your people in good security practices. I’m talking about establishing your own version of Safety Patrol.

That means explicitly deputizing individuals across the organization to help guide your security program – people who are thinking about security, meeting periodically as a group, and communicating to whatever function they represent so that learning can be brought back to their corner of the organization.

Fundamentally, this is about distributing security responsibility to the point where people consider it part of their role to think about things THEY should be doing and THEY should be looking out for.

Security is a Team Sport

Having one individual or department in charge of security, with no help from the rest of the organization, will not lead to a successful program.

Rather, you need everyone on board, with security roles assigned to specific individuals as part of their explicit responsibilities.

Now if you’ll excuse me, there appears to be a kindergartner wandering around my office about to click on a suspicious link. I need to get my daughter over here right away to escort him to class.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).