Who would you identify as the person who is or should be responsible for Information Security in your organisation? Do they need to be at a senior level? Perhaps an external agency or should a whole department be assigned to look after it? The truth of the matter is that everyone is responsible, from the CEO’s, to the board, to the people operating on the tills and the work-experience student fresh from university. We are all responsible in keeping information secure.
Data. Worth more than gold?
We all know that an organisation cannot survive and certainly can’t thrive without data.
Without data, there is no information,
without information, there is no knowledge,
without knowledge, there is no wisdom.
Organisations of all sizes need data. A window cleaner who has a simple ‘black book’ of addresses, with amounts of money owed is carrying data. If that black book was lost, stolen or destroyed, the impact on their business could be significant.
Data is the foundation upon which all organisations are built. Think about it this way; Google is worth billions but what is its core asset? Data. How about Facebook? The same answer. Data is not just valuable, it’s worth more than gold and oil.
Protecting your assets.
The protection of data and the security of information can’t be handed to one person or department in an organisation because everyone has an impact on the ability to keep it safe. For example, expecting your IT department to be solely responsible for it is like expecting your finance team to be responsible for saving money but then allowing everyone else to do as they please, ignoring income and expenditure!
Everyone in your organisation collects, processes and shares data and information, therefore, how they protect it is of key importance to everyone.
A good way to illustrate and highlight this is to conduct a data audit so that you can unearth where your valuable assets are. You’ll probably have already carried out something like this when the General Data Protection Regulation (GDPR) came into force but it’s worth revisiting at least annually.
Ask the heads of each function to identify;
- Key processes they have
- Each system they use to help in the processes identified
- What information they hold (customers, employee details, financial etc)
- What data they hold (name, DoB, address, national insurance numbers, email etc)
- How much information they hold (10,000 records? 100 records?)
The above will help to build a picture of the data assets you hold so you can make some decisions about how you protect them.
Everyone is responsible, only one is accountable
It doesn’t matter if your organisation employs five, five hundred or five thousand; Everyone has a part to play in protecting Data and ensuring Information Security. From the receptionist on the front desk, who has knowledge (based on data) that the CEO is flying to the USA at 1pm, to the CEO who is flying to the USA to discuss the latest acquisition. Everyone is responsible, in a large or small way for ensuring data doesn’t fall into the wrong hands, or is accidentally (or deliberately) lost or stolen.
Each person in an organisation processes data in a variety of ways and under increasing pressure to process more and more, faster and faster. It’s vitally important that we all understand that we can have a positive or negative impact on our organisations, in the way we process and protect data.
But if we are all responsible for Information Security, who is accountable?
Is it the person hired to ensure there is a programme in place to protect data? The answer is, no. Even the person hired to help in this regard is not truly accountable for Information Security.
In the GDPR, there is an over-riding 7th principle known as the principle of accountability, which means that the Data Controller must be able to evidence that appropriate and technical measures are in place to protect data.
Just as in Health and Safety, if there is a break-down in the ability to protect individuals, then someone must be held accountable. Accountability, therefore, rests with the head of the organisation; The business owner or the CEO. This is no different for Information Security.
Health and Safety for Data
For far too long organisations have employed an Information Security Manager and said “It’s your job. Make us secure!” Although of course, it’s their role to lead and guide you on your journey to become more secure, they can’t do it alone.
It’s a little like hiring a Health and Safety officer and asking them to ensure you don’t have accidents but then allowing people to run around in blindfolds, with scissors!?
Everyone understands the relevance of Health and Safety, although we may sigh at some of the things we need to comply with, most people recognise the importance of it because, perhaps, we have seen first hand the impact of NOT doing it right.
Information Security is no-less important but the impact of getting it wrong is often not fully understood or realised. This is because the impact is rarely discussed for fear of ‘scaremongering’. As professionals who are the project leads, or guides on this journey, we need to stop being so squeamish.
We need to explain why having weak passwords is a bad thing. We need to explain what the impact is if we click on an infected link in an email. Without context, people won’t know why they need to follow our guidance. Just because people are aware that having weak passwords is a bad thing, it doesn’t mean they care. We need to emphasise that it is their responsibility to follow good practice in protecting data and ensuring Information Security.
Everyone is responsible for Information Security. It can’t be done in isolation, or have one person named as responsible. We’re in this together and if each one of us was a little more aware of the positive impact our behaviour can have on the security of our organisations, then people might just start taking notice.
Information Security, like Health and Safety, is everyone’s responsibility. Security is no accident; it’s a choice each of us makes every day.