Ultimately, management (including the owners) are responsible for the implementation and oversight of both the Information Security and Physical Security programs of an organization. So when you read about a data breach where a retail vendor had thousands (or millions) of credit card records stolen, or a hospital is locked out of their systems for days/weeks due to ransomware, or a real estate broker that had their e-mail compromised by a phishing attack, at the end of the day it is management that is responsible, not IT, and not the security officer or security analysts. It is an organization's management that approves the security policy and the security budget which determines the level of effort given to the security of the organization. Even if employees or an outsourced company are responsible for implementing and maintaining good security practices, management is still held accountable for monitoring their activities and ensuring that the organization's security program is being carried out according to the security policies.
There is also another group of individuals in an organization who are responsible for the day-to-day execution of proper security procedures and processes: the employees. Or, in other words, Everyone. In an organization, it is everyone's responsibility to follow good security practices, from setting strong passwords, to not letting strangers piggy-back into secure buildings, to reporting anything suspicious to management or their designee. Truth be told, no matter how much money is in the budget for security, there is never enough. So to provide adequate protection for your organization, your employees need to be trained, empowered and in a sense, be "deputized" as security officers in order to maintain a culture of security in your organization.
So to answer the question "Who is Responsible for Security?", the answer is two-fold; primarily management for ensuring good security practices are in place (including security awareness training for employees and contractors). And the organization's employees who need to follow security procedures and act in a secure manner at all times when conducting the organization's business.
Be Secure!
@tjmprofessional.com
You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. Security Awareness Training
ReplyDelete