All the experts agree – cyber security should be an organisation-wide concern. And yet, in my experience too many organisations, and too many people in those organisations think that cyber security is solely the concern of (a) the security team, or (b) the IT/digital team. In case you need convincing my favourite response is that if there is a cyber-attack (or incident) then it is not the IT team’s job that is at risk, but part of the organisation (if the HR system is compromised it is the HR team who won’t be able to work, not the IT or security teams). Who knows what the impact is of an attack? It’s not IT, that’s for sure. And who is best placed to balance off the needs of the organisation with the cyber risks? It’s not security: if you left it up to me, I’d turn everything off! That’s the only way to be sure (and I get no benefit from it being on, so…)
Coming back to Aotearoa recently I was struck as to how the understanding of health and safety had changed (and how it compared to where I was coming from). A few years ago, health and safety was something that only HR and a few enlightened managers cared about. These days a combination of regulation, compliance and a few high-profile prosecutions as well as perhaps advances in thinking have radically changed the landscape in New Zealand. Now all managers need to understand OSH in general and know what the risks are to their staff’s health and safety – and what’s more, they need to play an active role in mitigating and managing those risks.
Cybersecurity should be like OSH in that way! It should be thought of in the same way: as something that boards of directors and senior leaders take accountability for, as a topic that every manager should understand, and everyone in the organisation knows they play a part in solving. Ultimately that everyone in an organisation is affected by. It should no longer be relegated to IT departments, just like health and safety is no longer solely the concern of HR teams.
Perhaps my glancing enviously towards my health and safety colleagues is a case of “the grass being greener on the other side”. Maybe the attitude towards health and safety is more apparent than real. But to be frank, that would be an improvement on where most organisations are with cyber security. I wouldn’t settle for it, but I would welcome that improvement.
I think that the main reason for this change in Aotearoa New Zealand is the introduction of new health and safety legislation – and the aggressive prosecution that came with it. In particular, the personal liability that came with this legislation made managers sit up and take notice. So, until something similar happens in NZ for cyber security (as is being suggested in Australia) I can’t see major changes coming, but I can hope.
Doug Newdick is a Senior Consultant at Axenic and is always keen for a chat about raising cyber security understanding and awareness. Feel free to contact Doug via email or connect with him on LinkedIn.