Why cybersecurity is not everybody’s job (and what we should do for it to become one)
Musings about the mismatch between what is talked about at security conferences and reality, and how to bridge the two
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Role of cybersecurity in an organization
Before we talk about whose job it is to secure an organization, let’s briefly discuss where security fits in the organizational model.
A good way to start the discussion is to have a quick look at the business through the lenses of value creation. At its essence, business is a way of changing business inputs into business outputs in such a way that makes the outputs more valuable than the aggregate cost of the inputs. One of the best tools that illustrate that is Porter’s Value Chain. Instead of looking at departments that constitute an organization, it focuses on systems and the process of value creation.
Porter divided all business activities into primary (those that directly transform inputs into outputs and distribute them to consumers in exchange for value) and supporting (those that do not directly create value but are required to enable the value creation).
While Michael Porter discussed the value chain in the context of manufacturing companies, it is broadly applicable to software or any other type of business as well. The concept would stay the same even if we were to replace the labels in the “Primary Activities” section with things like Research, Product Development, Release Management & Operations, Marketing and Sales, and Customer Support.
With an exception of companies in the business of providing security (managed security services providers, incident response firms, managed detection & response consultancies, cybersecurity vendors, and similar), cybersecurity generally falls under “Supportive Activities”, similarly to human resources and procurement. The role of security is to safeguard critical business assets and prevent disruption to business operations. As a friend once said, the nurse on the North Patient Wing could care less how secure her IoT-powered cart-on-wheels is. She is trying to ensure her patients have good health outcomes and get home in time to spend quality time with her kids.
Internalizing the place of security in organizations is critical, as it’s all too easy to get an idea that security is the core of what organizations should care about, especially if one attends many industry conferences. The truth is somewhat simpler: security is a critical supportive activity that is valuable insofar as the organization’s primary activities are going well. If there is no business to safeguard, whether or not the company gets breached matters less.
With that out of the way, let’s talk about another mantra repeated at most cybersecurity conferences I’ve been to: “cybersecurity is everybody’s job”.
Cybersecurity is not everybody’s job
In a well-functioning organization, everyone is trying to get the profits to go up, and everyone does it by focusing on their area. Sales are everybody’s problem but only salespeople are held accountable for selling and for hitting their sales quota. Quality is everybody’s problem but engineers building products can’t expect everyone to QA their product — that’s what engineering & QA people are responsible for. Cybersecurity, subsequently, is a job of security teams as they are the ones measured on it.
If you work in cybersecurity, reading this will likely make you start screaming in disagreement. Bear with me, and I am sure you will understand what I mean.
You see, I am not saying “security is something that can be fully left to security teams”. What I am saying instead is that “today, whether we like it or not, cybersecurity is the job of security teams, and more often than not they are the only ones who care about it”.
What we should do for cybersecurity to become a part of everybody’s job
Security is a complex, multi-layered problem, and many of the individual layers can (and should) be owned by different people in the organization. Most importantly, everyone in a company needs to be vigilant and do their work in a manner that does not undermine security. In that sense, I do think security should be everybody’s job. For that to happen, there is a lot that needs to change. In the sections that follow, I will propose a few actionable steps that can help us to get there.
Before we get to it, a small disclaimer: whatever we do, and however we slice the responsibilities, all individual components of security should continue to roll up to a single team — the security team — responsible and accountable for the holistic security posture. Because that is what they are hired to do. But, without everyone’s cooperation, security teams will always fail, because fundamentally security is not about technology.
Cybersecurity should be on the list of requirements for the job
In business, we have accepted that whether you are a speechwriter, a marketing manager, an accountant, or a quality engineer, communication skills are important for everyone. If people lack communication skills, they can jeopardize the outcome of any initiative, regardless of what role they play in it.
Communication skills are now listed as a requirement on most (all?) job postings, and interviewers are tasked to screen for these skills early on in the hiring process.
For cybersecurity to become a part of everybody’s job, it should be built into the hiring process. First and foremost, we should see “cybersecure behavior” or “understanding of cybersecurity” as a requirement on many (if not all) job postings. We should also start seeing behavioral questions like “tell us how you secure your digital life” and “tell me about the time when…”. In some cases, we could even start seeing security professionals taking part in hiring panels (nothing speaks of the importance of cybersecurity in an organization as well as having a security person be a part of the hiring process).
Security should be a part of performance evaluation
One of my favorite Charlie Munger quotes is “Show me the incentives and I will show you the outcome”. People will always do what they are incentivized to do, and therefore designing the right incentives is critical for business success.
For cybersecurity to become a part of everybody’s job, it should be built into the performance evaluation process. First and foremost, cybersecurity-related responsibilities should be a part of job descriptions that define what people do. Secondly, it should be one of the performance factors employees are regularly evaluated against. It should impact decisions about promotions, raises, and terminations.
Security teams should invest in communication and relationships
For cybersecurity to become everybody’s job, security teams should invest time in instilling a security mindset, building relationships with people from different functions, and acting as a resource center of trusted advisors. They should be evangelizing security across the organization by publishing newsletters, providing weekly updates at all-hands, and otherwise working to show what the security team is doing and how it is adding value to the broader organization. They should answer questions and encourage people to come with more.
Cybersecurity teams should make security feel relevant to everyone in the organization by abstracting away the technical complexity and telling stories to inspire, educate, and motivate people to be more vigilant when carrying out their day-to-day work.
Even when security becomes “everybody’s job”, security teams would be ultimately accountable for it. This is similar to how recruitment teams are accountable for hiring new employees, or how marketing teams are accountable for the brand, even though everyone in the company is a brand ambassador and a recruiter through their use of social media and activity in their private networks. But, it is only possible to do security effectively when the organizational efforts align with security efforts.
Today, many security leaders go to conferences to talk among themselves about what the industry ought to be doing. And yet, more often than not their own organizations are failing to “make security everybody’s job”.
For security to become “everybody’s job”, it should be embedded into the organization’s systems and incentive structure, from hiring and training to performance evaluation and company-wide communication. Every person in the organization should be clear about their role in safeguarding the organization’s assets and should have access to the tools and support to do it effectively. Security training cannot be bolted on as a “compliance checkbox” for new hires (with a once-a-year “refresh” for all employees to meet SOC2 requirements).
These changes are only possible if there is a leadership-level buy-in and a shared understanding that security is important. And yes, the company leadership should also be subject to the same requirements as everyone else. If, say, a head of marketing did a great job building the company brand but ruined the company’s reputation in the end by neglecting security and exposing customers’ data — they can surely not be rewarded for their work.
At the same time, security teams should become more human-focused and less technology-centered (something I have talked about before). There is a great opportunity for security teams to focus on understanding the business their company is in, building relationships across different functional groups, and designing transparent, evidence-based security controls.
Cybersecurity needs to become a part of everybody’s job, and we need to start taking steps to make that happen.