If an organization has a CISO, CSO or a designated security professional in-house, that is likely who leadership turns to make any cybersecurity-related decisions. While businesses should have someone who is signing off on security systems and protocols, they aren't going to get the best protection if everything is left to one person.
Cybersecurity is a team effort. A cyber incident will impact individual departments differently; a data breach will require input and leadership from people who would otherwise have no say over the day-to-day security operations, such as public relations and legal.
While the primary focus of cybersecurity will fall to the technology stakeholders whose jobs formally involve deterring, detecting and mitigating cyberthreats, there are others who hold responsibility for the quality of cyber defenses.
That includes just about everyone within the organization who, though not formally responsible for cybersecurity, may inadvertently or deliberately expose the organization to cyberthreats, according to Richard Blech, founder and CEO of XSOC.
To secure the network and protect data, organizations need an all-hands-on-deck approach. It requires human relations input as well as technical expertise.
Although that doesn't give everyone equal say in how security decisions are made, everyone should be welcome to offer their thoughts of what is working and what areas need improvement so the decision-making team can use the information as programs and tools are implemented.
Working across the business
To determine how cybersecurity decisions are made, leadership needs to better understand how security fits into overall business operations.
IT security for an enterprise usually covers all domains: Cloud, on-premise servers, desktops, applications, mobile and network.
"The product and support is often managed by separate line managers, workers who often report up to different chains of command," said Garret Grajek, CEO at YouAttest.
To this end, "securing the enterprise" becomes as much a human relations task as it does a technical exercise.
"The security personnel must be able to not only dictate the specific guidelines but also learn how individual groups are using technology, and the practices involved to execute enterprise objectives," said Grajek.
However, security has long stood in its corner in the business world, separate from other business functions. CISOs have only recently been invited into the boardroom, and even that isn't a universal policy. Cybersecurity is not always looked at as a business function.
For example, any changes in IT operations triggers cybersecurity posture changes for 57% of organizations, according to a CompTIA study. If that's the case, security decisions are likely made whenever there is another step made in the digital transformation, with security focused on the new device or technology.
Decision-makers for the security of IT operations will depend on the function of the IT technology, and that silos cybersecurity away from the rest of the business operations.
But as data breaches, ransomware and other cyber incidents threaten to disrupt operational processes, cybersecurity has to be seen as an equal function within the company.
Decision-makers for cybersecurity need to come from all areas, bringing their expertise surrounding the sensitive data and systems to be protected so if there is a disruption to the network, the business can keep running.
"It is important for security leaders to collaborate closely on interdepartmental cybersecurity strategy, training, as well as promoting deliberate organizational habits (across lines of business) in order to secure key assets," said Blech.
Who are the decision makers?
Cybersecurity decision-makers can be anybody in the company because security is the responsibility of everyone. Staff assistants make decisions every day surrounding security with tasks like shredding old documents with sensitive information, for example.
However, the decisions with the most impact belong to the people who control the budget. But these decision-makers have several stakeholders and often have multiple objectives, said Grajek. Availability, time-to-value, flexibility and functionality are often part of the decision-making process, and these requirements may vary from group to group.
"Given that security is often integrated into the functionality of a larger component, it's often that the final decision maker is wholly or shared with resources outside of the security group," said Grajek.
Most effectively, security leaders communicate best practices in a way that shows an understanding of the objectives of the IT department.
"Initial research and dialogue by the security team member goes a long way toward a collaborative work environment," said Grajek