Who is responsible for security and compliance?

Who is responsible for security and compliance? Is it the IT team? Is it the board? Or is it you and me? The continued escalation of cyber threats means that IT governance and compliance have never been more important than they are right now.

Complying with security regulations can make all the difference in the face of cyber threats. But anyone in the workforce can easily expose an organisation to astronomical fines and devastating reputational damage for failing to comply with regulations such as GDPR. All it takes is one honest mistake.

The law may require it, the board may request it, and the IT team may implement it. But ultimately, compliance can be undone by any one of us in the blink of an eye. So, really, who is responsible for security and compliance?

The Workforce

Staff have the potential to be one of the biggest liabilities in cybersecurity and compliance. Logistically, the overwhelming majority of day-to-day operations using company IT will be completed by general staff. They are therefore more likely to make a potentially damaging mistake, often without realising they’ve done anything they shouldn’t have.

When something does go wrong and the finger-pointing starts, it is easy to blame the boots on the ground. But it’s not necessarily right. Sure, the incident may have been caused by someone who should have known better, but the key word there is ‘should’.

An organisation’s staff is only as good as the training they receive, and this applies to all levels of the organisation. Senior executives are actually 9 times more likely to fall for phishing techniques and social engineering attacks. But, no matter where they sit in the organisation, if employees are not given the correct training then the effects can be calamitous.

Senior Leaders 

Senior leaders are not usually who we think of as being responsible for cybersecurity and compliance. With busy schedules and important meetings, many senior leaders will not find the time to contend with something as technically intricate as cybersecurity and IT regulations. But should they?

Cybersecurity is a business issue, and as such it deserves its rightful place on the agenda. By 2021, it’s estimated that global damages as a result of cybercrime will reach $6 trillion dollars. If companies fail to get ahead of this now, it’s only a matter of time until they become another damning statistic.

This compliance and security revolution needs leadership, and this leadership must come from the top of the organisation. Not only because it is senior management’s responsibility to steer the business in the right direction but because they are also the prime targets.

Senior executives have access to business-critical information and valuable data that others in the organisation don’t. As most cyber-attacks are motivated by either financial gain or espionage, it makes sense then that senior executives are viewed as highly desirable marks.

Senior executives have a duty to employees, shareholders, and customers to ensure that their organisation is safe and secure, so security and compliance should be a part of their responsibilities in at least some way.

The IT Security Team

When attempting to identify the party responsible for compliance and cybersecurity, the first guess is usually the IT security team. After all, IT security is quite literally their job.

Ensuring an organisation is compliant with the latest regulations or accreditation requires the correct knowledge, skills, and tools. A dedicated IT security team will possess all of this.

However, just 42% of businesses have staff dedicated to managing security or governance. Many smaller companies simply cannot afford to hire staff for every single task, and IT specialists are left to cover such a wide remit that it becomes impossible for them to do everything.

While the IT security team is certainly responsible for ensuring governance systems are implemented and maintained at a technical level, it is unrealistic to expect them to be responsible for everything that transpires within an organisation’s network.

A Wider Cultural Shift

Returning to our original questions: Who is responsible for security and compliance? Is it the IT team? Is it the board? Or is it you and me? Well, actually it’s all of us. We are in this together, and only by working together can we ensure the organisation’s continued safety.

Clearly there is a need for the expertise and technical know-how of the IT security teams, but they also need direction from the board. If the IT security team is regarded as an afterthought, then how are they to know which assets need protecting? Similarly, if the board doesn’t accept that cybersecurity is a priority then these orders will never come down in the first place.

Employees need this leadership from above, and for security and compliance policies to be enforced correctly. But staff also need to be trained to avoid making any costly mistakes. Also, once again, any training initiatives need to be made a priority and put forward by the board.

Unfortunately, there is no easy answer to achieving this cultural shift. Compliance and security best practices are all just pieces of the same puzzle. To stay compliant and secure, we must all recognise that cybersecurity is a collective responsibility.

To learn more about what compliance means for your organisation and how to overcome the challenges, be sure to read our latest whitepaper ‘Beyond Compliance: Raising the bar on cybersecurity’.