Sunday, 30 May 2010

Having caught the bug for blogging, it is only fair I submit another blog for your perusal.

A provocative question which popped into my head recently (Yup I have been getting a lot of these lately... well more frequently after my last blog) inspired this blog.

The Question: Who is really responsible for security within a company or an organisation?

The Short Answer: Everyone.


The Long Answer/Explanation:

I guess this is somewhat broad and I will understand ones scepticism with the answer provided. Although this was more of an immediate response, it seems to be somewhat profound if not a perfect fit. Several publications and reports about security breaches and incidents and how they affect organisations both in the short and long term serves as a good basis for the conclusion above.

To elaborate on why this makes perfect sense, lets take apart what I believe exactly happens when there is a security breach and when it is made public? In the event of a security breach of any sort, data owners tend to be those who are immediately held accountable as they tend to be those responsible for this. There are other factors to consider with regards to the investigation as to why it happened and how it can be prevented or resolved etc however the core of it all is to point the finger at the sole person or people responsible for this.

From a business sense, should the organisation be one which relies on customer confidence to increase revenue (most organisations) then a security breach (preferably one which could have been prevented with little investment such as encrypting data in transit etc) will certainly affect revenue for the organisation and in the long run the profits made will decrease.

Once there is a significant decrease in the profits or a continuous decrease, the organisation will do all they can to re-gain customer confidence, this then introduces the probability of reviewing resources etc. Resource management in this sense could span physical resources through to redundancies for staff in order to maintain and re-gain whatever market share they had as well as re-gain trust of customers.

On the people management note (staff redundancy), lets assume we split the structure of an organisation into three groups such as Senior Managers, Managers and Everyone else, The senior Managers will usually be the first in the firing line if there was a major breach being data owners. Should profits and revenue for the organisation continue to plummet, the second group within reach of the firing line would then be the managers. This will usually be when the difficult decisions are made with regards to combining roles and responsibilities etc. Should this not resolve the issue then the last group being everyone else will then bear the brunt of the this.

The Conclusion:

Bearing the above in mind and the uncertainty with regards to job security, this I believe justifies the shorter answer for everyone being responsible for security within an organisation. With the application of a little common sense and initiative as well as some education within organisations, this should more than suffice.