Where does the buck stop?
18 April 2016 • Author(s): Dr John McCarthy, Cyber Security Specialist
One of the most common questions I get approached with is who should be responsible for cyber security in an organisation?
The easy answer to this is ‘it is a board level issue’, but that will only get you so far. In my opinion being taken to board level is vital for successful cyber security management, appraisal and deployment. Organisations need to put cyber security on their risk registers and adopt a regulatory framework to manage it.
So once the board buys into this idea can we simply hand cyber security over to the IT department? If that is all that is done then I foresee problems. The IT department has a major role to play but what about the facilities manager? They are often responsible for multiple Industrial Control Systems that are vulnerable to cyber attack. Surely cyber security is now part of their remit?
In many organisations facilities management and the IT department are distinct and separate entities. Bridging these silos is one of the challenges to deploying effective cyber security. How this is overcome will vary from one organisation to another, but will certainly need board level support.
It is known that over 90% of cyber attacks involve some form of human error or omission.
It’s important to ask yourself whether your IT department has the skills and capacity to educate the entire workforce on how to mitigate social engineering attacks.
In my previous blogs I have spoken about the need for a cyber security culture that promotes good cyber hygiene. Should we not then be putting basic cyber security training in our induction policies for new staff? So now cyber security widens its scope and falls under the remit of HR.
In my opinion, cyber security is similar to general health and safety. It is everyone’s responsibility, though some areas have more complex duties and roles to play such as the IT department. In the same way the accounts department needs specialist social engineering training and a high level of cyber hygiene to be truly vigilant. Indeed every employee needs to be aware of cyber security and good cyber hygiene.
Once we begin to do this we are takings steps to secure our organisations from cyber attack. There is no doubt in my mind cyber security starts at the top but is a part of everyone’s duty to ensure good security.
Put simply, the buck stops with all of us.
About Dr John McCarthy
Dr John McCarthy PhD BSc (Hons) MBCS is a renowned authority on cyber security strategy, development and implementation and is an Airport Cyber Security Fellow for ServiceTec Global Services.
Dr McCarthy is frequently invited to sit on expert panels and appear as a speaker at well-known security events including International Airport Review’s own Airport Security and Airport IT events. Past appearances have included talks on ICT Security in the Modern Airport, Security in the Digital Age and SCADA threats in the Modern Airport. He has also been a member of International Airport Review’s Editorial Board since January 2014.
Dr McCarthy is also a leading expert on social engineering awareness training and best practice.