Democratizing cybersecurity

Cybersecurity as a function within organization must change from being operating controls to ensuring controls are democratized to different stakeholders. Failing to do this will have disastrous consequences.
Vishal Salvi
  • Updated On Oct 1, 2021 at 09:18 AM IST
Read by: 100 Industry Professionals
Reader Image Read by 100 Industry Professionals

By Vishal Salvi

Building a security culture in any organization takes a long time. Most employees think either that ensuring security is the job of the cybersecurity team or they are not aware of their specific role in helping ensure a secure organization. There is also a general perception around the fact that security is a very complex technical topic and best dealt by cybersecurity professionals. In reality, the cybersecurity teams are just the catalystswho drive the change towards building a security-first culture.

The power to uphold the change lies with all employees and stakeholders who are performing different roles within the organization. They need to be fully aware of their role and must be empowered to execute those effectively. Employees need to demonstrate exemplary behavior on following the security best practices so that they do not fall prey to social engineering attacks. Do you know Google has registered a whopping 2,145,013 phishing sites as of Jan 17, 2021 (up 27% over last 12 months)? Besides, Phishing attacks account for more than 80% of reported security incidents today, with $17,700 lost every minute due to phishing attacks!

Advt
The IT and Information Security teams should take complete ownership and accountability to ensure all requirements of building security by design is implemented across the organizational IT estate, and the business should take complete ownership of the cybersecurity risks to the organization and participate actively in risk remediation and acceptance decisions.

This notion is called shift-left; however, in my view, we must shift in all directions. We need to shift upward so that the executive leadership and the board understand and play their roles well. We need to shift right so that cybersecurity teams are fully trained and empathetic to business and risk realities. We need to shift left not just in terms of IT and IS teams but also to business teams and other supporting functions so that they are able to understand their responsibilities with respect to cybersecurity.

We need to shift down so that we are able to engage with the complete organisation to build a security culture where everyone understands their role and takes pride and ownership in its execution. Cybersecurity can no longer scale and be effective if it’s only left to the cybersecurity teams to implement and execute. And so, in many ways our role in cybersecurity has changed and it’s no longer about enforcing controls, but about democratizing security by empowering the system to becoming self-sufficient. There is a burning need to demystify cybersecurity and make every individual accountable for their role in ensuring information security within the organization.

Advt
This is not just a technical issue, but also an organizational change management topic. Hence, following steps should be taken to make this an effective change within the organization.

  1. This change needs to be driven from the top and hence an endorsement from the board and leadership is very important to set the tone and give sponsorship for this program.
  2. There must be a definition & blueprint on what does this mean across the organization and its stakeholders.
  3. There must be a comprehensive training and enablement plan put in place to then ensure that all stakeholders not only understand their roles, responsibilities, processes but also are up skilled to execute them with ease.
  4. A proper measurement of metrics needs to be in place to ensure that this program remains on course to deliver the intended outcomes. A senior program manager with complete empowerment needs to be appointed to oversee the implementation and governance of this initiative.
While we embark on this journey you should worry of the following risks:
  1. Organisations which are not very mature in cybersecurity practices, will fail to recognize the need to adopt this change.
  2. Complex and large matrix driven organisations will find it hard to drive this change as they are more comfortable in implementing centralized cybersecurity. Also driving such an initiative within a large global enterprise would be a massive change and may be perceived as too difficult to be implemented.
  3. The organization stakeholders may push back saying this is not their core job and may perceive the cybersecurity teams to be trying to palm off their work unfairly.
  4. The cybersecurity teams may feel insecure as democratizing security may reduce their roles and importance in the organization.
To summarize, cybersecurity as a function within organization must change from being operating controls to ensuring controls are democratized to different stakeholders. Failing to do this will have disastrous consequences. This needs to be driven as a massive change management program within the organization with clear goals and measurements in place. There are risks to the success of this program which must be recognized, and efforts made to mitigate them to ensure success.

The author is Chief Information Security Officer & Head of Cyber Security Practice - Infosys


  • Published On Oct 1, 2021 at 09:17 AM IST
Be the first one to comment.
Comment Now

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis.

Download ETCISO App

  • Get Realtime updates
  • Save your favourite articles
Scan to download App