|
|
At first glance, this is really a very dangerous argument to manipulate. To answer it using another cliché, there is a fine line between something being everyone's responsibility, and the same thing becoming nobody's responsibility. The key here is to recognize that while every employee may have a role to play in securing company assets, these roles vary from function to Business Data function, and the inability to communicate with each staff member. significantly in the context of their own work just doesn't work: Telling HR staff who receive resumes by email every day not to open attachments is a waste of time.
Also, it is essential to recognize that the level of commitment of each employee around cybersecurity will depend entirely on the level of commitment of the employee to the company, its culture and its values . It'sa natural instinct to protect what is important to you. Conversely, it can be difficult to convince disengaged staff, or staff who see senior management consistently allowed to Business Data ignore the rules, when they must adhere to more stringent measures. So it may be that in one form or another, “cybersecurity is everyone's responsibility”, but the message cannot be generic and must be structured appropriately. In addition, the example must come from above and must be relayed without exception by all layers of middle management so that the message of good practices crosses the fabric of the company.
It'sa natural instinct to protect what is important to you. Conversely, it can be difficult to convince disengaged staff, or staff who see senior management consistently allowed to ignore the rules, when they must adhere to more stringent measures. So it may be that in one form or another, “cybersecurity is everyone's responsibility”, but the message cannot be generic and must be structured appropriately. In addition, the example must come from above and must be relayed without exception by all Business Data layers of middle management so that the message of good practices crosses the fabric of the company. This is often the most common flaw in many cybersecurity awareness campaigns: they are owned by the cybersecurity team and are structured horizontally for all staff,instead of being owned by a board member and structured to transmit vertically through the steering. Ownership for cybersecurity must start at the top.
A board member should be visibly responsible, and part of their compensation should depend on it, as we advocated in a previous article. Human resource management should also be involved and it has a key role to play: specific key cybersecurity responsibilities and responsibilities should be distributed among staff members and formally articulated in Business Data role descriptions. Staff should be encouraged by pay and middle management to approach these aspects of their roles as an integral part of their job, and not as meaningless piece of managerial jargon.Readers may think that this is just idealistic and that it may not work in most businesses because these levels of management simply would not be interested in or understand cybersecurity enough to articulate a meaningful vision around it.
|
|
發表於 2022-1-4 14:36:52