How To Distribute Security Responsibility Across Your Company

By Russ Banham

As major cyberattacks grow more severe and sophisticated, seasoned information security (infosec) specialists are reevaluating the concept of tasking a single business function alone to manage a company’s cybersecurity.

With business outcomes at stake in this era of advanced threats, chief security officers like Max Solonski believe that cybersecurity should not be the sole responsibility of a company’s infosec team. Rather, it should be distributed across the enterprise—and on every employee’s radar.

“Infosec came into being originally to help the organization avoid a cyberattack by deploying anti-malware technologies, firewalls, intrusion detection and vulnerability scanning software,” said Solonski, CSO at publicly traded BlackLine, a leading provider of financial and accounting automation software. “With virtually every company getting hacked on a routine basis, infosec’s focus has expanded beyond attack prevention to incident response , in order to minimize the damage in case of a major attack.”

This shift marks a sea change in corporate cybersecurity. In the days when infosec teams focused exclusively on preventing cyberattacks, there was less interest in engaging with the rest of the company. Technical specialists did technical things. Because of the increasing role a digital enterprise plays in modern business and the dynamism and flexibility enabled by the public cloud, that paradigm no longer holds up. To mitigate and moderate the impact of a cyberattack in this new environment, collaboration is a necessity.

“Our job has always been to manage risks, create controls and maintain a secure environment, but with ever-maturing complexity and technology, weakest links are easiest to find among people, and this creates a huge gap in controls,” Solonski said. “To minimize this gap, every employee must be an extended member of the infosec team.”

The Sheriff Needs A Posse

Cybercriminals are getting better at what they do—and attack attempts on organizations appear to be increasing. A recent Symantec report found a significant increase in malicious email attachments in office files in 2018 compared with 2017.

The report also noted a rising number of groups using “destructive malware” to launch attacks on companies: “Targeted attack actors continued to pose a significant threat to organizations during 2018, with new groups emerging and existing groups continuing to refine their tools and tactics.”

And since 2005, more than 11.6 billion sensitive records have been breached by hackers, according to Privacy Rights Clearinghouse. Many of these records are governed by consumer privacy laws that require companies to report breaches and take steps to contain the damage.

Cybersecurity is not a job for the fainthearted. Against this dour backdrop, even well-funded infosec teams struggle to both protect their organizations from the next killer malware variant and limit the associated damage when attacks do happen. Among the most effective ways to accomplish both? Inculcate a culture of infosec across the enterprise—one that is championed by executive management and advocates for threat response alongside prevention.

“Security is a team sport,” said Solonski. “By creating a culture of collective responsibility for cybersecurity, in which everyone possesses basic security-awareness skills and is held accountable for their actions or inactions, businesses can reduce the risk of a successful data breach and a lengthy and expensive disruption in ongoing operations.”

A Secure Transformation

In developing an enterprise-wide cybersecurity culture, the CSO recommended that everyone in the organization—including senior leaders, managers, employees and third-party vendors and suppliers—be apprised of the executive management decision to heighten cyberattack vigilance.

“To disseminate this information across the business, the head of infosec may want to partner with the leaders of HR and corporate communications, given their specific employee engagement roles,” said Solonski. 

Consideration should also be given to the value of appointing someone in each business department and function as a de facto cyber risk manager for that unit. The person’s responsibilities might include employee training in cybersecurity, particularly as it relates to suspicious business correspondence, like phishing emails with malicious attachments.

This training should incrementally evolve to address new malware variants and other hacking trends. “Too many companies offer training that is repetitive, which is boring to someone who learned the same thing the previous year,” said Solonski. “By entrusting someone in a function or department with recruiting a third-party training organization to provide information on the latest types of cyberattacks, the person can help ensure the training is new, relevant and even entertaining.”

Companies should also provide targeted training, ensuring that instructions are relevant to each team. Extremely technical guidance on secure coding practices may not be pertinent or helpful for the sales team, for instance.

“You do want to provide training so people can make cybersecurity decisions on their own,” said Solonski. “An infosec nirvana is where people are trained and able to apply common sense and do not hesitate to make proper security decisions. However, if someone is unsure about something, the person should ask the ‘cyber risk manager’ in their function or department for help. And if that person has concerns, that’s where a security professional can step in.”

The bottom line is that security professionals need to incorporate threat containment and response into their training and strategic development. By shifting to a culture that views cyberattacks as a matter of when—not if—companies will be armed to respond quickly and effectively.

Russ Banham is a Pulitzer-nominated financial journalist and bestselling author.

ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out. Our breakthrough approach analyzes all network interactions and a...