Who owns security?

“I thought you were doing it?!” is a phrase no one wants to hear. Yet security is often the domain of multiple people within an organisation, without clarity around who is responsible. So what can be done?


“I thought you were doing it??” is a phrase no-one in security wants to hear. So how you do prevent the inevitable breach caused by traditional narrow mindsets?

What’s the point of cybersecurity best practice when someone can tailgate through an open door? What protection do ID badges and access cards provide when you don’t have MFA set up and people are using their dogs’ names for passwords? How can you securely and efficiently onboard your remote team members and contractors when you’ve never met them face to face?  

When it comes to security – both physical and digital – there are often multiple people within an organisation that have some level of responsibility built into their role. Unfortunately, most are operating in silos, with limited cooperation and information sharing. The Chief Security Officer (CSO) is worried about physical security, and the Chief Information Officer (CIO) predominantly about IT infrastructure. The Head of Risk is concerned with compliance, while the HR Director oversees how new employees are onboarded.    

When a breach occurs, it often leads to confusion and the shifting of blame: “But I thought you were doing it?!” 

It only takes one 

Organisations can no longer afford to continue without clarifying roles and responsibility when it comes to security. It’s a matter of when, not if, you’ll be exposed to a breach, whether malicious or not. It only takes one bad actor, one weak password for an incident to occur.  

There are countless recent examples: the vulnerability that allowed the Colonial Pipeline hack in the US was a weak password. In New Zealand, a fraudulent remote worker was active in a sensitive system for months before being discovered. EA Games was the victim of a phishing scam after having their company Slack infiltrated.   

A recent trend is for malicious actors to target suppliers or managed services as an easier way into larger organisations to further their reach. The recent supply chain attack on Kaseya exposed 40,000 companies to ransomware. It’s a simple proposition now: if your business provides value, you’re a target.  

What can be done? 

So, where does the responsibility reside? While security leads – like the CSO, Chief Risk Officer (CRO) and Chief Information Security Officer (CISO) – all have an important part to play, the answer, ultimately, is with everyone.   

However, plugging holes in a leaky boat will only get you so far. To take a holistic, identity-defined security approach based on Zero Trust, someone needs to be assigned overall responsibility from a governance perspective, determining policy, implementing controls and taking accountability. From there, multiple people are given responsibility for the execution of this approach across all functions of the business, finally trickling down to the end user. As users, we’re all responsible for educating ourselves and improving our own security posture, thereby improving the collective security posture of our workplaces and other networks.  

Effective security is about layers of protection, and the same applies for the people involved. Implementing a top-down strategy that starts with identity and has clear roles and responsibilities assigned at every step is the best way to protect your organisation and its assets across all access points.

For more information about Daltrey’s identity-defined security solutions, contact us today