Security isn’t an “IT problem”, it’s an organisation problem

Often, organisations and their employees consider security to be “IT’s problem”, and they can be very blasé about it. Yearly, mandatory, security training is considered an inconvenience and waste of time that just gets in the way of getting the job done. “Why do I have to do this? Security is IT’s job.”

The problem with this mindset is the security is a team sport!

You’ll notice I haven’t said “cyber security” - that’s too easy to lump onto technical teams. Your organisation needs to care about “information security”, because it doesn’t matter if your valuable information is stored digitally, on paper, or in someone’s head. If that information is leaked your business will suffer damage (reputational, financial, legal, or all three).

Some important tips to help your organisation:

Security starts at the top. If you don’t allow bring your own device (BYOD) then the CEO can’t use it either! Make sure the leadership is genuine when they say security is a priority, and that they follow the same rules.
Ensure people know security is everyone’s responsibility.
Security issues happen. Avoid blame, instead working with colleagues to identify incidents early and fix the problem.
Make reporting security concerns easy, and investigate them promptly. There may not be a problem at all. Thank people that report or ask questions.
Run informative, engaging, fun (!) security training that gives colleagues guidance they can actually use today.
Review your security position regularly and make tweaks as needed. Communicate any changes in an understandable and clear way.
Try not to drown colleagues in lengthy policies and training sessions! You need people to engage rather than just tick a box.

Your security and IT teams have expertise and tools to help your organisation, but security still needs everyone to work together 🙂.

Banner image: Something I and Microsoft Copilot threw together to act as a banner for my cyber security awareness month posts.