Who is in charge of cybersecurity at your business?

Here’s the brainstorming quiz for this article and your business.

  • Who is in charge of cybersecurity at your business?
  • What’s cybersecurity?
  • No one really.
  • So-and-so is in charge on paper, but not in real life. They don’t have time to deal with it.
  • Our outside information technology provider handles all of that, we don’t have to worry about that.
  • We outsource all security decisions, we don’t have to worry about that.
  • So-and-so (a company employee) is in charge of cybersecurity and they consult with outside vendors and experts as needed.

You can probably guess the best answer and see how others might be a problem.

If your organization has at least one full-time employee working solely on information security, you can stop reading now (most smaller organizations do not have this).

If you have not yet named someone (employed by your company) to be in charge of cybersecurity, keep reading to find out why that is important.

Manage information assets like you manage other business activities

Information assets need to be managed, that means someone needs to be in charge of it. If no one is in charge, things will not get done or they will not get done effectively.

Organizations rely upon outside vendors and service providers for many things but cannot outsource all decision making nor the ultimate responsibility for cybersecurity. After all, someone in the organization needs to make decisions about which outside vendors to use and why. Not every outside provider is perfect, and even when they are the organization still needs to make its own decisions.

Whether the organization is seeking or obtaining advice from lawyers, cybersecurity consultants, information technology providers, or cybercrime incident response providers, they want to first find competent professionals but always retain the final decision-making ability.

Multiple goals

There are three important goals when managing information assets and information security:

  • Improved security and protection from cybercrime
  • Improved compliance with legal requirements regarding cybersecurity
  • Improved efficiency and better use of all information assets.

Designate an individual and form a village

An individual can be designated to be the single person in charge of cybersecurity for the organization. Many titles are possible, but one option is “Information Security Coordinator”. This acknowledges the person may lack the credentials to be a Chief Information Security Officer” (CISO) or even just an ISO, but recognizes their important role in this area.

Organizations can also consider forming a standing committee to help make decisions about information assets. This could be called an Information Governance Committee. Some decisions on IT, providers, platforms and applications can be critical with long term impact across the entire business. Forming a committee of stakeholders can help ensure issues are addressed ahead of time and better business decisions are made.

Who should be in charge?

First, let’s assume you are not specifically hiring a person for this as a full-time role, but instead have existing employees and need to pick one of them to fill this additional role.

If you have an IT professional who is an employee of the company and with the below aptitudes, they are the logical candidate. But many organizations do not have a full-time IT professional on staff.

The person you designate as in charge of information security should be an employee with a good head on their shoulders, good common sense, with an ability to see the big picture and also master details. They will need good communication skills, ability to work a computer, and some degree of technical knowledge plus a desire to improve upon it.

This employee would liaise with outside IT and information security professionals and inside governance.

The person will need sufficient authority—either by their own position or appropriate backing by someone in a higher position—to ensure cybersecurity is appropriately prioritized and necessary tasks get accomplished.

How much time should they devote

Clearly, the organization and designated individuals need to devote “reasonable” time to the important management of cybersecurity. That will depend upon each organization, but the amount of time must be greater than zero.

Imagine the continuum of all organizations in this country. The biggest might have hundreds of full-time information security professionals, plus an even bigger team of IT professionals. The smallest organization has none, and then there is everywhere in between.

But the unifying takeaway is that every organization needs to spend a reasonable amount of time and resources on cybersecurity. Reasonable for its own circumstances.

A solid cybersecurity foundation built on knowledge

To learn more about the cybercrime attacks that could happen if cybersecurity is not managed well, read my prior Westfair articles on the three priority threats of data breach, ransomware, and email-based frauds.

Legal requirements in the cyber realm exist as laid out in my prior articles on cybersecurity laws for business and privacy.

A general overview of cybersecurity for your business helps, and consider the four pillars of cybersecurity. Good policies are important and have legal significance, and every business should analyze five componentsthat impact them.

Conclusion

John Bandler

Every organization should designate someone in charge of cybersecurity to effectively manage and improve their cybersecurity posture and information assets. Well managed organizations properly govern their information assets, including people, computer devices, data, and networks.

If your organization has not yet designated someone to take responsibility for cybersecurity, now is the time.