It seems like a pretty basic question. But in all too many organizations it is hard to get a straight answer. Which probably means that the real answer is "no one." Top executives regard it as strictly an IT issue. The CIO regards it as a distraction from the core problem of keeping the organizations information services running. The chief security officer doesn't write the policies handed down from Legal, and the general counsel regards it as a technical detail.
In short, when it comes to data security, all too often the moving finger points, then moves on. Data security seems complicated, it seems technical, and it is embedded in mythology about teenage hackers.
But as Joel Brenner notes at the Harvard Business Review blog network, for many organizations their data is the largest component of their value. Says Brenner, "trade secrets, confidential business plans, and operational security depend on it." How can no one really be in charge of something so critical?
The answer seems to be that people who are not technical specialists imagine that cybersecurity is technical and therefore bewildering. The technically sophisticated have other tasks they are expected to perform. They don't have time for security tasks that, in their view, are really fairly simple.
Major cybersecurity breaches, like airplane crashes, usually result from a chain of failures. But – much more than in modern aviation – this chain of failure usually involves simple human mistakes. Someone thinks that "Password" is a nifty password. Someone gets an email, purportedly from a colleague, and even though it seems a bit odd, clicks on a link anyway.
Many good technical security tools are available, but none of them will protect against these sorts of human effors. What is needed is human awareness and security consciousness. And this has to begin at the top. If top executives regard strong passwords as someone else's concern, no training sessions will keep that message from spreading.
On the flip side, when organizational leaders focus on cybersecurity, a culture of security will spread through the organization. GRT Corporation stands ready to help leaders in developing security policy and establishing a culture of cybersecurity awareness.