By Chris Griggs, Founder and CEO
In my early days in the Army, I heard something that I would never forget. I was in boot camp and a fellow recruit was having a difficult time qualifying with his M-16. In obvious frustration, this young soldier opined that weapons qualification should not apply to him, as he had enlisted to be a computer technician. Unfortunately, this phrase was uttered in earshot of a particularly intense drill sergeant, who proceeded to provide what I will call impassioned mentoring to the soldier. His message was simple:
“It doesn’t matter what job you have! In the Army, shooting is everyone’s responsibility!”
InfoSec is everyone’s responsibility
Strangely, the simple truth that employees have a role in company functions outside their immediate job seems to be forgotten when crossing into the realm of information security.
While those outside the IT department like to think of InfoSec as a “tech” problem, the truth is that every employee has a responsibility to help protect their company from information threats. This is particularly true in the last few years, since we’ve seen a spike in information thieves targeting both technology and people.
CISOs can’t do it all
Corporate information security officers’ time and resources are spread increasingly thin as they try to keep up with a never-ending list of tasks: secure the networks, update the policies, backup the files, adhere to new regulations, and keep the users happy. The list goes on.
What CISOs need is a little help from the home team. They need a grassroots team of InfoSec partners. But the seeds of accountability must first be planted.
The first step is accountability
When a violation or breach occurs, particularly if it results from employee negligence, the sense of hesitancy that many organizations feel to hold employees accountable needs to be reevaluated.
The good news is that you can, in fact, build an army of InfoSec champions within your company. There are some simple steps you can take that can have an enormous impact. We’ll discuss these in future posts. However, any further steps must be first predicated upon establishing accountability.
And accountability doesn’t have to be a bad thing. Did you catch your employee following good InfoSec practices? Reward them! After all, it doesn’t matter what job employees do. InfoSec is everyone’s responsibility.