As noted previously—and as we all know—an organization cannot be secure until the entire workforce is engaged in reducing cyber risks. Each member of the group has the power to harm or to help, since each one has access to information systems, handles sensitive data and makes decisions every day which maintain, erode or strengthen the human “attack surface” of the organization. But most employees lack the interest or knowledge to contribute positively to the organization’s security. To address this shortcoming, a recently-published guidebook, Cybersecurity is Everyone’s Job, provides guidelines for everyone in an organization to do their part with helpful tips and references to demystify their role in cybersecurity and—more importantly—give them practical and effective actions to take. A publication of the Workforce Management subgroup of the National Initiative for Cybersecurity Education (NICE), these guidelines reflect the input of numerous experts from government, industry and academia. Intended for the non-technical audience, the guidelines are written in practical, plain-language terms with the intention of arming the reader with specific things to do. Most importantly, the guidebook tackles the common misperception that cybersecurity is a technology problem looking for a technology solution… that if we could only fix a glitch or install a product, the problem would go away. Rather, it reinforces the understanding that cyber-risks are an enterprise-wide challenge requiring a cross-functional, interdisciplinary response across all parts of the organization. A key feature of this publication is that guidelines are organized by common business functions with which any reader will be familiar. The seven business functions are presented as:
- Leadership, Planning and Governance
- Sales, Marketing and Communications
- Facilities, Physical Systems and Operations
- Finance and Administration
- Human Resources
- Legal and Compliance
- Information Technology
Each section includes a brief description of the business function along with a list of critical data and information systems for which the function is responsible. Highlighted within the section are key ways that the function impacts cybersecurity. Specific to-do’s are provided along with a note to leaders for what they should focus on. Additionally, the guidebook includes sections on building a cyber-secure culture, common tasks for everyone, methodology and additional references. This resource serves as a ready reference for all leaders who are interested in reducing cyber risks by effectively engaging the workforce. It can also serve as an entry point for non-technical and non-security professionals who are looking for effective ways to do their part in securing the organization.
