Last week, the Guardian shared a blog post on how good cybersecurity starts at board level, not IT. The post explains that while the IT team and the CIO are often the ones pegged with the blame in situations of crisis, in many instances cyber security breaches are often the fault of general employees. Their negligence permits email breaches, lost physical documents and social engineering to have a detrimental impact on the business – and unfortunately this is something that is hard for IT teams to monitor. The blog post argues that these areas require the attention and governance of a corporate executive body, as opposed to just those working in IT services.
Communication between management and IT
The concept of communication issues between IT and management teams is not a new one. In fact, we recently wrote a blog post about how common it is for there to be a communication breakdown between IT employees and management. Our post was based on a study conducted by Tripwire and the Ponemon Institute called “Are Security Metrics too Complicated for Management,” which investigated this all too common problem. In our blog post, we examined the many reasons this could be the case, including the fact that executives aren’t always privy to threats before they become full blown incidents, and that technical terms don’t often translate across departments.
Fixing Communication – Shifting Onus
Maybe part of the problem is not just the communication between the two groups, but also who owns what responsibilities. For most people it goes without saying that IT should certainly be in charge of maintaining security systems. That doesn’t mean that management shouldn’t be involved in cybersecurity discussions.
In order to ensure engagement across the board, management teams can take more responsibility for the teaching and training of staff members. While IT can (and should) definitely play an active role in implementing the training sessions, managers need to work with their teams to ensure that everyone is attending the appropriate sessions and taking all necessary precautions to keep themselves and the organization as a whole safe. Managers, executives and board members should also ‘walk the walk’ when it comes to cybersecurity, ensuring that they take the time to attend training sessions and do their best to keep confidential information secure.
Do you think that executives need to play a more active role in cybersecurity prevention? Let us know in the comments below.