The statement “security is everybody’s responsibility” is a common refrain. And it is an ideal end-state culture for many organisations. Certainly from the perspective of the IT Security team – they provide the tools and controls, but everyone does their bit in keeping things secure…
This is a great aim. After all, who wouldn’t want a culture where everyone is security-aware and plays their part. But we would caution against leading with this message. It may be your end goal, but should you really start telling staff that security is their responsibility before you have empowered them to be able to act in that way?
Reflect on the message from a non-security practitioners’ perspective. What does it actually mean? Your users may well find themselves asking – “how is it mine?” or “what do you expect me to do?”. As a high-level theme, it’s hard to personalise, and isn’t concrete or actionable.
So, if this is your end goal, then remember to:
Provide awareness that employees can relate to
Our research on security “do do’s” has told us that linking security to threats and concepts relevant to people’s personal lives is helpful. But awareness should also be tailored to your organisation’s domain, to departments within the organisation, and even to specific behaviours. ‘Off the shelf’ generic messaging may be hard for employees to relate to their roles.
Make it specific
An extension of the need to make it relatable is delivering guidance that is specific and relevant to your employees and the ‘responsibility’ you want them to take. Focus in on a narrow set of responsibilities and the associated behaviours you’d like to see, and then…
Make it actionable
In order to take responsibility, your staff need concrete and actionable security practices. And ideally these need to be easy: easy to remember, easy to do, and aligned with the organisation’s expectations of how they carry out their role. Try to identify and remove blockers conflicting between a business pushing to get something done, and the secure practices available to staff to carry out those tasks. For example, somebody must deliver a proposal to a client at all costs – but when corporate email blocks the attachment, what should they do?
It is undoubtedly true that staff all have a critical role to play in the security of any organisation. And they should be given security responsibilities. But remembering that most people don’t come to work to “do” security, try to structure security awareness in ways that emphasise exactly what responsibility you want them to take – as well as actually empowering them to take it.