Cybersecurity Is Everyone’s Job. Are You A Vulnerability?

Cybersecurity responsibilities can’t fall on security teams alone. But how do other stakeholders—like professionals in HR, sales and legal—contribute to the security posture of your organization?

Cyber Security Everyone Responsibility

Created by NICE (the National Initiative for Cybersecurity Education, a NIST program), this article outlines what each member of an organization should do based on the types of work they perform.

Read on this article to learn:

  • How to build a cyber-secure culture at your organization
  • Best practices for leadership, marketing, IT and more
  • Insights for organizational leaders on making a positive cybersecurity impact

Content Summary

Abstract
Introduction
Building a Cyber-Secure Culture
Leadership, Planning, and Governance
Sales, Marketing, and Communications
Facilities, Physical Systems, and Operations
Finance and Administration
Human Resources
Legal and Compliance
Information Technology
Doing the Right Things

Abstract

This article outlines what each member of an organization should do to protect it from cyber threats, based on the types of work performed by the individual.

It is aligned with the strategic goals of the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology (NIST). The need for this paper was identified by the Workforce Management subgroup of the NICE Working Group (NICEWG), a voluntary collaboration of industry, academic and government representatives formed to facilitate, develop and promote cybersecurity workforce management guidance and measurement approaches that create a culture where the workforce is managed and engaged to effectively address the cybersecurity risks of their organization.

Introduction

In this era of persistent cyber threats, an organization can be secure only with the active participation of everyone. Unfortunately, many organizations limit security responsibilities to designated security personnel that perform specialized security functions. Effective security must be enterprise-wide, involving everyone in fulfilling security responsibilities. Each member of the group, from the newest employee to the chief executive, holds the power to harm or to help, to weaken or strengthen, the organization’s security posture.

This article outlines what each of us should do to protect the organization, based on the types of work we do.

Cybersecurity: Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack (Merriam-Webster).

Building a Cyber-Secure Culture

Your organization’s culture is critical to establishing a successful cybersecurity posture. Its culture must emphasize, reinforce, and drive behavior toward security. A resilient workforce will not exist without a cyber-secure culture.

Mindset

Mindset is a critical component of culture. When we build awareness into the organizational culture, we increase our ability to address cyber risks. Every organization is at risk, whether a small non-profit or a Fortune 100 company. Given the prevalence of cyber attacks, we need to stay alert and prepared. Mindset will drive appropriate behaviors at the individual level, contributing to the resilient workforce that every organization needs.

Leadership

The organization’s leaders set the tone. Leadership is the most important factor to influencing awareness and mindset. Leaders must embrace cybersecurity education, awareness and best practices. Leaders must also support security investments, and champion cybersecurity in enterprise risk management. Deep technical knowledge is not required from leaders; rather, they should model good personal security habits based on sound guidelines. Leadership involvement is critical for a cyber-secure organization.

Training and Awareness

Once leaders foster a cyber-secure culture, the next step is to implement employee awareness training. These programs build an understanding of risks, and—most importantly—provide specific steps for mitigating them. Training programs come in many forms; most involve computer-based learning modules and practical exercises. The use of social engineering, or manipulation, to spread exploits via unsuspecting employees is an increasing risk. They may have access to the targeted data or systems themselves, or may be exploited to reach those who do. A key element in a training program is hardening your employees to the reality of socially engineered exploits. No program will lead to a sustained 100% success rate against human-based exploits, but can substantially reduce the volume and the impact of attacks; your cyber defenders can focus on a smaller, more manageable set of incidents. Another common way to help build cyber-secure culture is through internal awareness campaigns. From posters and newsletters to contests and prize drawings, organizations have found effective ways to generate “buzz” around important security themes. While these methods should be employed year round, October’s National Cybersecurity Awareness Month is a particularly good time to emphasize these themes.

Performance Management

Incentives and disincentives can have a profound impact on human behavior. For real cultural change to occur in cybersecurity preparedness, individual performance goals must align with the goals of the organization. Performance goals for security can include completion of required training, improved responses to phishing exercises, compliance with policies, and avoidance of risky online behaviors. Financial and operational metrics are common in organizations; security metrics should be also.

Technical and Policy Reinforcement

Technical controls associated with human behavior can be implemented to reinforce cyber-secure culture. Just as physical access controls reinforce the mental awareness of a physical perimeter, so can password policies, multifactor authentication and mobile device management solutions reinforce security culture. Policy at the organizational level can also drive implementation of controls by outlining the negative consequences of non-compliance. There are many ways that these guidelines can be implemented, reflecting the unique culture of each organization. What matters is that they form the basis for developing a cyber-secure culture by increasing awareness and fostering the right mindset. With a sound cyber-secure culture in place, each business function can focus on its own contribution to protect the organization.

Leadership, Planning, and Governance

Setting overall direction, establishing priorities, maintaining influence, and mitigating risks

What Leadership, Planning, and Governance Does

If you are responsible for the overall strategic direction of the organization, or for maintaining controls and mitigating risks, this section applies to you. Leadership, Planning, and Governance professionals are often the most senior leaders, or are directly supporting strategic decision makers. You may be involved in board proceedings, contribute as senior level management or manage a complex government agency, with fiduciary responsibility and budget authority. Or, you could be the owner-operator of a small business or franchise. What all these roles have in common is that final decisions are made by you, or you are supporting those who make those decisions. Because competing demands must be balanced and limited resources allocated, you play a crucial role in establishing priorities and ensuring adherence to them. At the same time, strategic risks to the organization must be addressed. You are often the arbiter of difficult decisions.

You matter to the organization, because without you, the organization lacks direction and cohesion. You are the hub of the wheel—connecting to, coordinating, and driving the many parts of the business.

The Role of Leadership, Planning, and Governance in Cybersecurity is All About:

  1. Managing and mitigating overall cyber-related business risks
  2. Establishing effective governance controls
  3. Prioritizing and resourcing cybersecurity programs
  4. Safeguarding the sensitive information you rely on for planning and decision making
  5. Establishing a cyber-secure culture within the organization

What Leadership, Planning, and Governance professionals should do:

Understand cyber security basics and best practices well enough to enable sound decision making

  • Establish a routine reporting process for cyber risks within the organization
  • Engage with trusted third parties to learn about cyber risks and their mitigations—this includes consultants, industry groups, and cybersecurity service providers and educators
  • Regularly commission objective risk assessments of the organization
  • Direct the implementation of cybersecurity best practice frameworks, maintained by authoritative entities such as the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), and International Organization for Standardization (ISO)

Include cyber risks in the enterprise risk management process

  • Avoid treating cyber risks as a separate and mysterious matter only for technologists
  • Understand the organizational impacts of cyber incidents
  • Consider risks introduced by partners and suppliers
  • Conduct exercises and decision-making drills to familiarize yourself and your organization with how to respond to disasters and security incidents
  • Prioritize cyber-related risks to ensure appropriate attention and effort is committed to their mitigation

Develop and maintain organizational information security policies and standards

  • Ensure that information security policies are informed by risk assessments, regulations, and standards/best practices
  • Ensure organizational security policies are appropriately implemented, institutionalized and communicated
  • Be aware of relevant data protection / privacy regulations and legislation to ensure that your organization remains in compliance, e.g., General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Freedom of Information Act (FOIA), Sarbanes-Oxley (SOX), Family Educational Rights and Privacy Act (FERPA)
  • Have a schedule in place to regularly review and update policies

Promote the development of effective cross-functional teams to accomplish cybersecurity goals for the organization.

Adequately fund cybersecurity resource requests

  • Digital assets cannot be protected without human and technical resources; be ready to commit resources aligned to a cohesive cybersecurity strategy
  • Plan for future needs

Protect sensitive strategic, financial, legal, and risk information

  • Share only necessary information
  • Ensure the information is retained/destroyed in compliance with the organization’s data retention policies or external regulations
  • Use strong encryption, strong passwords, and other methods to secure files when you transfer them to others

Protect access to online file sharing or decision support platforms by applying best practices, such as:

  • Strong passphrases
  • Unique passphrases for each critical account
  • Multi-factor authentication

What we all should do:

Ensure that all operating systems and applications are at their most current and secure version by enabling automatic updates from the vendor

When working from home, secure your home network by applying best practices (see NIST SP 800-46 Rev. 2), such as:

  • Change your wireless router password, SSID, and limit ability of others to find it
  • Maximize encryption levels on your wireless router
  • Increase privacy settings on your browser
  • Use Virtual Private Networks (VPN) to access corporate networks whenever possible
  • For additional security, protect browsing privacy through encrypted browsers
  • For additional security, protect personal email accounts through encrypted email

When traveling, secure your connections to the enterprise

  • Do not enter sensitive information on public computers, such as in hotel lobbies, libraries and internet cafés
  • Use VPN access to corporate networks whenever possible
  • Do not use public Wi-Fi without VPN to transmit sensitive information
  • Use a dedicated wireless hotspot for internet access
  • If a hotspot is not available, consider tethering to a corporate or business-issued cell phone
  • Consider using disposable phones when traveling in regions with questionable data security or excessive surveillance
  • Physically protect your computer from theft and unauthorized access

Use social media wisely

  • Apply strong privacy settings
  • Don’t share personal information on business accounts
  • Don’t share business information on personal accounts

Your title includes words like: Director, Board, Chairman, Chief, Executive, Commander, President, Vice President, Partner, Principal, Owner, Founder, Secretary, Consultant, Strategy, Governance, Risk, Intelligence, Controls

Information and systems you own, manage, or use:

  • Strategic plans
  • Intellectual property
  • Board and senior management proceedings
  • Financial records
  • Merger and acquisition information
  • Third-party recommendations and reports
  • Routine communications of a sensitive nature

A note to leaders

You are ultimately responsible. Work with cybersecurity experts—externally and those you hire internally—to establish sound guidelines, be familiar with those guidelines, implement them yourself, and ensure that your teams know what they’re expected to do.

Don’t be afraid to ask questions. Nobody expects you to understand cyber as well as you understand finance or operations, but everyone expects you to mitigate risks to the business—and cyber risks are real. Your job depends on how well you address the real risks of an often-unfamiliar subject.

Sales, Marketing, and Communications

Raising awareness, communicating, generating revenue, and interacting with customers

What Sales, Marketing, and Communications Does

If you are interacting with customers, clients, donors or citizens, this applies to you. Sales, Marketing, and Communications professionals are those who engage prospective and existing customers to drive awareness of products and services, stimulate interest, and generate revenue through sales or other means. You may also be involved in public- and media-facing communications. You are the messengers of the organization, carrying news of the good things you provide to those who need to know, and responding to current events. This includes the crucial work of converting business ideas into real business deals. Along with the people who deliver the products or services, you are often the most visible, outward-facing people in your organization.

You matter to the organization, because without you, ideas, products and services sit idle—you make the organization a vibrant part of the world around it.

The Role of Sales, Marketing, and Communications in Cybersecurity is All About:

  1. Protecting the company brand, reputation and the trust of citizens, customers, and partners
  2. Preventing/limiting information loss as you interact with the outside world
  3. Reducing risks to the enterprise network presented by remote work, telecommuting, and travel

What Sales, Marketing, and Communications professionals should do:

Communicate the importance of cybersecurity matters to your stakeholders

  • Access reputable sources to develop a well-rounded understanding of how information and systems fit into the ecosystem of the people you interact with—this includes consultants, industry groups, cybersecurity service providers and educators
  • Inventory the types of information entrusted to the care of your organization, and consider the potential impact of data compromise for your customers and partners
  • Understand the potential impact of a cyber incident to your organization, including customer trust and competitive advantage

Develop a communications plan for the inevitable cyber incident

  • Participate in internal incident response team planning
  • Become familiar with the cyber incident response plan
  • Participate in “table-top exercises” and other planning efforts in anticipation of cyber incidents
  • Draft a communication plan consistent with regulatory requirements, legal considerations, industry best practices, and commitments made to external stakeholders

Protect shared files

  • Use encryption, passwords, and other methods to secure files when you transfer them to/from customers and partners

Protect access to your Customer Relationship Management (CRM) platform by applying best practices, such as:

  • Strong passphrases
  • Unique passphrases for each critical account
  • Multi-factor authentication
  • Restricting levels of access by need
  • Removing employees or vendors when they are no longer involved

Protect customer information in quotes, purchase orders, invoices, payments, and presentations

  • Share only necessary information
  • Ensure the information is destroyed in compliance with the organization’s data retention policies or applicable regulations

Bring customers’ cyber concerns back into the organization.

Be aware of the implications of conducting business in foreign jurisdictions with different regulations such as the European Union’s General Data Protection Regulation (GDPR)

What we all should do:

Ensure that all operating systems and applications are at their most current and secure version by enabling automatic updates from the vendor

When working from home, secure your home network by applying best practices (see NIST SP 800-46 Rev. 2), such as:

  • Change your wireless router password, SSID, and limit ability of others to find it
  • Maximize encryption levels on your wireless router
  • Increase privacy settings on your browser
  • Use Virtual Private Networks (VPN) to access corporate networks whenever possible
  • For additional security, protect browsing privacy through encrypted browsers
  • For additional security, protect personal email accounts through encrypted email

When traveling, secure your connections to the enterprise

  • Do not enter sensitive information on public computers, such as in hotel lobbies, libraries and internet cafés
  • Use VPN access to corporate networks whenever possible
  • Do not use public Wi-Fi without VPN to transmit sensitive information
  • Use a dedicated wireless hotspot for internet access
  • If a hotspot is not available, consider tethering to a corporate or business-issued cell phone
  • Consider using disposable phones when traveling in regions with questionable data security or excessive surveillance
  • Physically protect your computer from theft and unauthorized access

Use social media wisely

  • Apply strong privacy settings
  • Don’t share personal information on business accounts
  • Don’t share business information on personal accounts

Your title includes words like: Sales, Accounts, Client, Revenue, Business Development, Donor Relations, Advertising, Social Media, Marketing, Demand Generation, Communications, Media Relations, Analyst Relations, Public Affairs, Community, Stakeholder, Engagement, Relationship Manager

Information and systems you own, manage, or use:

  • Customer data
  • Public announcements
  • Partner data
  • Public-facing websites
  • Contracts
  • Social media accounts
  • Financial data
  • Press releases
  • Customer support portals
  • Customer Relationship Management (CRM) systems

A note to leaders

Implementing cybersecurity best practices is hard to do with external-facing employees, particularly if they are out in the field most of the time. The most effective aspect of leadership is to lead by example: know these guidelines, implement them yourself, and ensure that your teams understand what they’re expected to do.

Demand cyber-secure resources. If your organization does not provide secure connections, such as multi-factor authentication, VPN, and/or mobile hotspots, demand it! Your job, and the organization’s reputation, depends on maintaining the trust of citizens, customers, and partners.

Facilities, Physical Systems, and Operations

Designing and delivering products and services, managing operations, and maintaining the physical environment

What Facilities, Physical Systems, and Operations Does

If you are designing and delivering the organization’s products and services to your customers, or are part of the operations to support delivery, or are managing and maintaining the physical environment, this section applies to you. Since the types of products and services vary greatly, Facilities, Physical Systems, and Operations covers a diverse range of roles from site management to product engineer to operations analyst to distribution manager, and beyond. You deliver the organization’s value to the world, fulfilling its primary purpose. Your role directly impacts citizens, customers, and partners who depend on your organization’s products and services.

You matter to the organization, because successful development and delivery of its products and services depends on you. The organization would cease to function without the capabilities you provide, and the primary purpose of the organization would go unfulfilled. Your performance is also crucial to maintaining a competitive advantage—what makes your organization unique and respected—in a crowded, noisy, and busy world. Furthermore, the technology systems you operate, including those that manage physical processes Operational Technology (OT), rather than Information Technology (IT)), introduce potential risks to life and limb, making your security readiness paramount.

The Role of Facilities, Physical Systems, and Operations in Cybersecurity is All About:

  1. Protecting the uniqueness of the products and services that your organization delivers
  2. Securing physical systems from compromise due to all hazards, including physical and cyber risks
  3. Integrating cybersecurity with physical safety and security

What Facilities, Physical Systems, and Operations professionals should do:

Identify cyber risks to the resilience of physical systems, including control systems

  • Engage IT and OT stakeholders
  • Engage trusted third parties to develop an understanding of cyber risks in the physical environment
  • Perform a comprehensive assessment of the physical environment to identify vulnerabilities and weaknesses

Ensure appropriate physical security controls are implemented at facilities

Develop a comprehensive plan to improve the security of control systems

  • Leverage cybersecurity best practice frameworks, maintained by authoritative entities such as National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), International Organization for Standardization (ISO), and ISA99

Incorporate cybersecurity measures into the safety program

  • Ensure employee training includes awareness of cyber risks in the physical environment
  • Leverage the safety program as another means to foster a cyber-secure culture
  • Partner with IT to develop a system for guests who access the physical environment: limiting direct access, providing a restricted Wi-Fi network, etc.

Protect intellectual property

  • Use encryption, passwords, and other methods to secure files when you transfer them to/from customers and partners
  • Share only necessary information
  • Ensure sensitive information is destroyed in compliance with the organization’s data retention policies or external regulations
  • Prevent remote access to systems unless absolutely necessary

Consider security risks and mitigations in the supply chain

  • Ensure security controls are embedded within products where necessary
  • Ensure suppliers adhere to security best practices

Protect access to your information repositories by applying best practices, such as:

  • Strong passphrases
  • Unique passphrases for each critical account
  • Multi-factor authentication

What we all should do:

Ensure that all operating systems and applications are at their most current and secure version by enabling automatic updates from the vendor

When working from home, secure your home network by applying best practices (see NIST SP 800-46 Rev. 2), such as:

  • Change your wireless router password, SSID, and limit ability of others to find it
  • Maximize encryption levels on your wireless router
  • Increase privacy settings on your browser
  • Use Virtual Private Networks (VPN) to access corporate networks whenever possible
  • For additional security, protect browsing privacy through encrypted browsers
  • For additional security, protect personal email accounts through encrypted email

When traveling, secure your connections to the enterprise

  • Do not enter sensitive information on public computers, such as in hotel lobbies, libraries and internet cafés
  • Use VPN access to corporate networks whenever possible
  • Do not use public Wi-Fi without VPN to transmit sensitive information
  • Use a dedicated wireless hotspot for internet access
  • If a hotspot is not available, consider tethering to a corporate or business-issued cell phone
  • Consider using disposable phones when traveling in regions with questionable data security or excessive surveillance
  • Physically protect your computer from theft and unauthorized access

Use social media wisely

  • Apply strong privacy settings
  • Don’t share personal information on business accounts
  • Don’t share business information on personal accounts

Your title includes words like: Operations, Delivery, Consultant, Services, Engineering, Product Development, Process Control, Workplace, Plant, Facilities, Fabrication, Office, Maintenance, Logistics, Supply Chain, Real Estate, Design, Manufacturing, Safety

Information and systems you own, manage, or use:

  • Intellectual property
  • Plans, diagrams and schematics
  • Physical control systems
  • Supervisory Control and Data Acquisition (SCADA) systems
  • Building management systems (BMS)
  • Physical security systems

A note to leaders

Cultural barriers are as big as any other factor when it comes to cybersecurity in industrial environments and physical systems. It will require persistence, education, and leadership by example to build bridges between operational technology and information technology professionals, as well as between cybersecurity and industrial safety advocates.

Address risks holistically, across all domains. Insist that your employees do the same. Just as safety culture is driven by good leadership, sound performance management, and effective training, so is cybersecurity culture in operational environments.

Finance and Administration

Providing planning, forecasting, accounting, transactional and administrative support to all functions within the organization

What Finance and Administration Does

If you are involved in managing the organization’s finances, from planning and budgeting to accounting and processing transactions, this section applies to you. You are responsible for ensuring that each part of the organization has the ability to pay for goods and services, operate within a budget, track revenues and expenditures, and conduct business with external entities—from customers to suppliers. You may also provide administrative support to the Planning and Governance function or manage office operations. While this function includes all persons with a full-time role in these areas, it also applies to all executives, managers, and associates who handle financial and administrative matters; in other words, just about everyone.

In many cases, the Finance and Administration function includes enterprise risk management, with associated processes and personnel reporting into a Chief Financial Officer (CFO) or similar role. Internal audit and compliance functions may also be included.

You matter to the organization because nothing can happen without the ability to maintain financial health, perform essential transactions, manage business risks and support the Planning and Governance function.

The Role of Finance and Administration in Cybersecurity is All About:

  1. Integrating cyber risks into the enterprise risk management process
  2. Resourcing cybersecurity initiatives consistent with security strategy, and balanced with other IT investments
  3. Maintaining the confidentiality and integrity of sensitive financial information to ensure security and compliance with applicable policies

What Finance and Administration professionals should do:

Ensure that cyber risks are integrated into the enterprise risk management process

  • Identify cyber-related risks to the enterprise early in the risk management process, not as a separate activity or late addition
  • Understand the many different business effects of cyber threats, which range from business disruption and loss of credibility to legal liability and physical damage

Provide sufficient funding to enable the success of the organization’s cybersecurity strategy

  • Reference the organization’s security strategy and external best practice frameworks to help prioritize investments
  • Work with cybersecurity leaders to understand how their resource requests align with strategy (which, in turn, should align with enterprise risk management); differentiate between the musthaves and nice-to-haves
  • Develop a complete view of security-related spending, which is often spread across multiple functional areas and budget allocations

Collaborate with other business functions on a plan for emergency spending

  • In the event of a cyber incident, incident response plans should also incorporate how to purchase needed equipment or services
  • Vendors and contractors should already be vetted and in place if such an incident should occur
  • Contingency plans should be made for loss of financial systems to ensure continuity with minimal disruption
  • Consider purchasing cyber risk insurance to offset the financial impact of security incidents
  • Ensure that the emergency plan includes compensating services for affected parties, such as credit monitoring services

Work with Legal and Compliance, and Information Technology, to ensure contracts with third parties include clauses for effective oversight of supplier cybersecurity, notification of incidents, and adherence to relevant industry and government policies and regulations

Define the appropriate balance of resource allocation between run-the-business or improve-the-business and secure-the-business investments

  • While the former can demonstrate a closer alignment to organization goals and performance, a rush to implement them often introduces new risks
  • If done properly, improvements in IT operations can also improve security and compliance, since many foundational controls for security (such as asset profiling, vulnerability management, configuration and patch management and access management) are essential to a well-run IT environment

Protect the organization’s financial viability and reputation by ensuring compliance with financial laws, regulations, rules, standards, and policies (both external and internal)

  • Understand the regulatory requirements associated with financial information, such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA) and Payment Card Industry Data Security Standards (PCI DSS)
  • Support the cybersecurity team’s efforts to secure systems which are impacted by these requirements

Protect sensitive strategic, financial, legal, and risk information

  • Share only necessary information
  • Ensure the information is destroyed in compliance with the organization’s data retention policies or external regulations
  • Use encryption, passwords and other methods to secure files when you transfer them to others

Protect access to any online file sharing or decision support platform by applying best practices, such as:

  • Strong passphrases
  • Unique passphrases for each critical account
  • Multi-factor authentication

What we all should do:

Ensure that all operating systems and applications are at their most current and secure version by enabling automatic updates from the vendor

When working from home, secure your home network by applying best practices (see NIST SP 800-46 Rev. 2), such as:

  • Change your wireless router password, SSID, and limit ability of others to find it
  • Maximize encryption levels on your wireless router
  • Increase privacy settings on your browser
  • Use Virtual Private Networks (VPN) to access corporate networks whenever possible
  • For additional security, protect browsing privacy through encrypted browsers
  • For additional security, protect personal email accounts through encrypted email

When traveling, secure your connections to the enterprise

  • Do not enter sensitive information on public computers, such as in hotel lobbies, libraries and internet cafés
  • Use VPN access to corporate networks whenever possible
  • Do not use public Wi-Fi without VPN to transmit sensitive information
  • Use a dedicated wireless hotspot for internet access
  • If a hotspot is not available, consider tethering to a corporate or business-issued cell phone
  • Consider using disposable phones when traveling in regions with questionable data security or excessive surveillance
  • Physically protect your computer from theft and unauthorized access

Use social media wisely

  • Apply strong privacy settings
  • Don’t share personal information on business accounts
  • Don’t share business information on personal accounts

Your title includes words like: Finance, Financial, Comptroller, Accountant, Budget, Risk, Compliance, Contracting, Purchasing, Procurement, Buyer, Acquisitions, Vendor Management, Auditor, Examiner, Loan, Trader, Underwriter

Information and systems you own, manage, or use

  • Financial performance records
  • Budgets
  • Financial assessments and audit reports
  • Tax filings (e.g. IRS forms)
  • Public filings (e.g. SEC forms)
  • Planning tools and platforms
  • Enterprise risk management tools and platforms
  • Risk assessments and audit reports
  • Compensation and benefits information
  • Accounts payable systems
  • Accounts receivable systems
  • Contracts

A note to leaders

As Finance and Administration leaders, you are often the default arbiter for resource demands among the other business functions. At the same time, there are many decisions that must be influenced or made by you in organizational planning, enterprise risk management, and resource allocation in which you are not the subject matter expert—but the decisions must be made.

Get smart about cybersecurity and enterprise risk. Your job, and the financial health of the organization, depends on your ability to make reasonable recommendations and decisions where there are many trade-offs.

Human Resources

Planning, hiring, and supporting the development, retention, and compensation of the organization’s workforce

What Human Resources Does

If you are responsible for the management and optimization of the organization’s human resources—from entry-level staff to senior executives—as well as external stakeholders (job candidates to recruiters, consultants, human resources associations, and benefits providers), this applies to you. You direct human resource strategy in alignment with the organization’s strategy. Your role includes human resources policies and management, talent acquisition and development, workforce and succession planning, employee relations and engagement, culture and diversity, performance management, and compensation and benefits. You may also be involved in maintaining records in human resources administration portals and talent acquisition tools.

You matter to the organization, because without your expertise and efforts to acquire, cultivate, and retain the organization’s most valuable asset, its people, the organization would not possess the knowledge, skills, and abilities necessary to succeed. Because of you, best practices for human resource management can be applied in a consistent manner.

The Role of Human Resources in Cybersecurity is All About:

  1. Implementing best practices in organizational change management, employee training, and performance management to enable a cyber-secure culture
  2. Ensuring that critical cybersecurity roles are filled, consistent with the NICE Cybersecurity Workforce Framework, and that employees remain current on necessary knowledge, skills and abilities
  3. Safeguarding sensitive employee information
  4. Spearheading efforts to mitigate the risks of insider threat

What Human Resources professionals should do:

Leverage NIST Special Publication 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework to deploy human resources to the proper cybersecurity roles

  • Reference this framework for workforce planning, competency development, talent acquisition, and retention
  • Reference this framework to identify noncybersecurity-specific roles which can perform cybersecurity functions
  • Apply standard lexicon to internal planning conversations, to ensure a common understanding across business functions

Ensure cybersecurity knowledge, skills, and abilities are incorporated into employee training and development programs

Mitigate risks introduced by new hires by performing background checks

Require and track participation in cybersecurity training and awareness programs for all employees across the enterprise

Leverage human resources best practices to support retention of critical cybersecurity roles

Be vigilant to ensure selection of vendors that can effectively maintain the confidentiality of employee personal information, which frequently includes protected health information

Protect access to your human resource management platform by applying best practices, such as:

  • Strong passphrases
  • Unique passphrases for each critical account
  • Multi-factor authentication

Protect sensitive information in employee recruiting, performance, compensation, and benefits:

  • Share only necessary information
  • Ensure the information is destroyed in compliance with the organization’s data retention policies or external regulations
  • Use encryption, passwords, and other methods to secure files when you transfer them internally, or externally with stakeholders such as recruiters, potential hires, etc.

Ensure the accounts of terminated employees are closed promptly

  • Immediately notify IT of pending or actual terminations
  • Update directories with new status, to ensure cascading of permissions changes across platforms and applications
  • Update HR records accordingly

What we all should do:

Ensure that all operating systems and applications are at their most current and secure version by enabling automatic updates from the vendor

When working from home, secure your home network by applying best practices (see NIST SP 800-46 Rev. 2), such as:

  • Change your wireless router password, SSID, and limit ability of others to find it
  • Maximize encryption levels on your wireless router
  • Increase privacy settings on your browser
  • Use Virtual Private Networks (VPN) to access corporate networks whenever possible
  • For additional security, protect browsing privacy through encrypted browsers
  • For additional security, protect personal email accounts through encrypted email

When traveling, secure your connections to the enterprise

  • Do not enter sensitive information on public computers, such as in hotel lobbies, libraries and internet cafés
  • Use VPN access to corporate networks whenever possible
  • Do not use public Wi-Fi without VPN to transmit sensitive information
  • Use a dedicated wireless hotspot for internet access
  • If a hotspot is not available, consider tethering to a corporate or business-issued cell phone
  • Consider using disposable phones when traveling in regions with questionable data security or excessive surveillance
  • Physically protect your computer from theft and unauthorized access

Use social media wisely

  • Apply strong privacy settings
  • Don’t share personal information on business accounts
  • Don’t share business information on personal accounts

Your title includes words like: Human Resources, Human Capital, People, Talent, Workforce, Recruitment, Acquisition, Labor, Organizational Design, Training, Benefits, Compensation, Performance Management

Information and systems you own, manage, or use:

  • Employee data
  • Human resource information systems
  • Recruitment and onboarding systems (applicant tracking systems)
  • Performance management systems
  • Succession planning models
  • Benefits administration systems

A note to leaders

Human resource professionals have always played an important role in addressing business risks, ranging from natural disasters and workplace violence to lawsuits and lay-offs. Cyber-related business risks are no different: they cannot be effectively addressed without the implementation of best practices in workforce management.

Be proactive in working with other business functions to address cyber-related risks. Early involvement is the key to ensuring that the right people are in the right roles, with the right knowledge, skills, and abilities, doing the right things.

Ensuring compliance with laws, regulations and standards, mitigating risk, and addressing legal matters

What Legal and Compliance Does

If you are focused on mitigating or responding to legal risks or compliance matters, this applies to you. You do this in large part by ensuring that the organization remains compliant with the numerous laws, regulations, and standards that apply to it. You may also respond to external inquiries, challenges or complaints, as well as internal matters of a sensitive nature.

You are close advisors to senior leaders, helping to set policies and priorities in a manner that balances the organization’s primary purpose with the risks to which it may be exposed. You are highly responsive to legal threats, and may become the focal point of interaction with those outside the organization when legal or compliance matters need to be addressed, such as during litigation, court proceedings, audits, and when law enforcement is involved.

You matter to the organization, because you ensure that it remains in good standing with laws, regulations and standards, allowing it to focus on its core competencies. Without you, the organization could easily find itself in trouble, and subject to criminal, civil and audit liabilities.

The Role of Legal and Compliance in Cybersecurity is All About:

  1. Minimizing liabilities associated with the organization’s cybersecurity posture
  2. Ensuring compliance with cybersecurity laws, regulations, and standards
  3. Addressing the legal implications of incidents when they arise

What Legal and Compliance professionals should do:

Understand the legal implications of cybersecurity in order to enable sound risk mitigation

  • Engage with credible third parties to learn about cybersecurity and law—this includes professional associations, industry groups, consultants, and educators
  • Remain current on emerging regulations and standards

Implement an effective compliance program for the organization

  • Assess the organization’s exposure to laws, regulations, and industry standards to ensure appropriate coverage
  • Establish and enforce information classification and access processes
  • Leverage existing best practices for compliance enforcement
  • Ensure third-parties adhere to organizational cybersecurity policies through contractual terms, such as Service-Level Agreements (SLAs)

Actively participate in the enterprise risk management process, working with Planning and Governance, Finance and Administration, and other business functions to mitigate risks in a holistic manner

Implement measures to mitigate risks introduced by partners and suppliers

Actively support the organization’s incident responders during a suspected breach, including taking appropriate steps to preserve legal privilege to the extent possible

Conduct post-incident law enforcement engagement, vendor notifications and public notifications as required

Protect access to any online file sharing or decision support platform by applying best practices, such as:

  • Strong passphrases
  • Unique passphrases for each critical account
  • Multi-factor authentication

Protect sensitive legal and compliance information

  • Share only necessary information
  • Ensure the information is destroyed in compliance with the organization’s data retention policies or external regulations
  • Use strong encryption, strong passwords, and other methods to secure files when you transfer them to others

Lead the organization’s efforts to develop and implement privacy guidelines consistent with applicable laws, industry regulations, and best practices

What we all should do:

Ensure that all operating systems and applications are at their most current and secure version by enabling automatic updates from the vendor

When working from home, secure your home network by applying best practices (see NIST SP 800-46 Rev. 2), such as:

  • Change your wireless router password, SSID, and limit ability of others to find it
  • Maximize encryption levels on your wireless router
  • Increase privacy settings on your browser
  • Use Virtual Private Networks (VPN) to access corporate networks whenever possible
  • For additional security, protect browsing privacy through encrypted browsers
  • For additional security, protect personal email accounts through encrypted email

When traveling, secure your connections to the enterprise

  • Do not enter sensitive information on public computers, such as in hotel lobbies, libraries and internet cafés
  • Use VPN access to corporate networks whenever possible
  • Do not use public Wi-Fi without VPN to transmit sensitive information
  • Use a dedicated wireless hotspot for internet access
  • If a hotspot is not available, consider tethering to a corporate or business-issued cell phone
  • Consider using disposable phones when traveling in regions with questionable data security or excessive surveillance
  • Physically protect your computer from theft and unauthorized access

Use social media wisely

  • Apply strong privacy settings
  • Don’t share personal information on business accounts
  • Don’t share business information on personal accounts

Your title includes words like: General Counsel, Corporate Counsel, Inspector General, Internal Audit, Legal, Compliance, Risk, Privacy Officer, Attorney, Investigator, Paralegal, Legal Assistant, Import/Export Compliance

Information and systems you own, manage, or use:

  • Articles of incorporation, charters and formation documents
  • Contracts and agreements
  • Compliance reports
  • Audit reports
  • Legal briefs
  • Communications with retained law firms
  • Communications with law enforcement agencies
  • Databases and file storage for Legal and Compliance teams

A note to leaders

No matter how many cybersecurity professionals are hired, or how much investment is made in mitigating tools and technologies, the organization will not be able to adequately address cyber-related risks until the legal implications are considered. Furthermore, the organization could improve security but still be exposed to liability due to non-compliance. Work with cybersecurity experts, as well as legal advisors, auditors, and consultants, to ensure that exposure is minimized and the organization can focus on its mission.

Ask the difficult questions. Your colleagues may not be asking the right questions, or may be avoiding addressing the hard ones. They may be ignoring the requests of cybersecurity professionals within the organization. But chances are, they will listen to you.

Information Technology

Leveraging technology solutions for business connectivity, productivity, and essential processes

What Information Technology Does

If you define, develop, test, deploy, support, maintain, and protect technology solutions for the organization, this applies to you. You are responsible for the “central nervous system” of the business, managing the computing systems and networks that enable decision making and communication, and then translating that content into processes that run the business. You are likely involved in interacting with end users to gather and deliver to their requirements. You may interact closely with the Human Resources and Legal and Compliance functions to ensure organization-wide awareness of, and adherence to, cybersecurity policies. You may also be involved in interacting with external vendors for technology acquisition and support. In the event of a cybersecurity incident, you would likely interact with service providers, law enforcement, and external cybersecurity organizations.

You matter to the organization, because you enable everyone to communicate, capture data, process information, and manage the systems that work depends on. Critical assets, including confidential information, intellectual property, competitive differentiators, and customer data, can be properly used and protected because of your role.

The Role of Information Technology in Cybersecurity is All About:

  1. Providing technical expertise for the security of information systems and associated technology platforms
  2. Implementing and maintaining a robust multi-layered (defense-in-depth) approach to the organization’s information security, consistent with industry best practices and compliant with applicable regulations and standards
  3. Responding to and mitigating security-related incidents

What Information Technology professionals should do:

Provide technical expertise in support of the organization’s cybersecurity program

  • Ensure current knowledge in cybersecurity tools, techniques, and procedures, including secure application and platform design
  • Cross-train other IT roles with security functions to provide broader awareness and greater capacity to implement cybersecurity best practices
  • Collaborate proactively with other business functions across the enterprise

Implement a robust cybersecurity program, with appropriate technical and process controls consistent with the organization’s risk mitigation strategy

  • Leverage cybersecurity best practice frameworks, maintained by authoritative entities such as the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), and International Organization for Standardization (ISO)
  • Reference secure configuration standards from authoritative entities such as Defense Information Systems Agency (DISA) and CIS
  • If working with physical controls such as SCADA systems, reference ISA/IEC-62443
  • Work with external entities, such as consultants, auditors, professional associations and product and service providers to identify the best tools for the job

Integrate security into IT design, architecture, deployment and routine operations

  • Consider security upfront, not as an afterthought
  • Integrate security throughout the application development, testing, staging, and deployment process, including DevOps
  • Leverage IT operational best practices to improve security

Establish and help to enforce robust security policies for employees, contractors, and vendors, codified in acceptable use policies and other pertinent standards to which they can be held accountable

  • Work closely with senior management to secure support for policies
  • Apply the principle of least privileged access to all accounts
  • Apply the principle of separation of duties for critical security tasks and handling of sensitive information

Establish, verify, and enforce robust cloud security policies for the organization

  • Ensure that cloud service providers deliver the level of security that the organization requires
  • Understand the shared responsibility models associated with consumption of cloud services
  • Establish and enforce internal security policies for use of cloud services

Protect access to any online file sharing or decision support platform by applying best practices, such as:

  • Strong passphrases
  • Unique passphrases for each critical account
  • Multi-factor authentication
  • Use of password manager systems or applications

Protect sensitive organizational information

  • Share only necessary information
  • Ensure the information is destroyed in compliance with the organization’s data retention policies or external regulations
  • Use strong encryption, strong passwords, and other methods to secure files when you transfer them to others
  • Ensure redundant storage of critical information

Maintain a high degree of technical competence in Knowledge, Skills, and Abilities (KSAs) essential to cybersecurity

  • Actively participate in professional associations, conferences, and events
  • Pursue formal education in relevant fields
  • Achieve technical certifications in cybersecurity domains
  • Continue to hone skills and demonstrate mastery through participation in cybersecurity competitions

What we all should do:

Ensure that all operating systems and applications are at their most current and secure version by enabling automatic updates from the vendor

When working from home, secure your home network by applying best practices (see NIST SP 800-46 Rev. 2), such as:

  • Change your wireless router password, SSID, and limit ability of others to find it
  • Maximize encryption levels on your wireless router
  • Increase privacy settings on your browser
  • Use Virtual Private Networks (VPN) to access corporate networks whenever possible
  • For additional security, protect browsing privacy through encrypted browsers
  • For additional security, protect personal email accounts through encrypted email

When traveling, secure your connections to the enterprise

  • Do not enter sensitive information on public computers, such as in hotel lobbies, libraries and internet cafés
  • Use VPN access to corporate networks whenever possible
  • Do not use public Wi-Fi without VPN to transmit sensitive information
  • Use a dedicated wireless hotspot for internet access
  • If a hotspot is not available, consider tethering to a corporate or business-issued cell phone
  • Consider using disposable phones when traveling in regions with questionable data security or excessive surveillance
  • Physically protect your computer from theft and unauthorized access

Use social media wisely

  • Apply strong privacy settings
  • Don’t share personal information on business accounts
  • Don’t share business information on personal accounts

Your title includes words like: Technology, Information, IT, Infosec, Cybersecurity, Data, Systems, Computer, Network, Telecommunications, Database, Business Process, Software, Coding, Programmer, Web, Red Team, Blue Team.

Information and systems you own, manage, or use:

  • Privileged accounts
  • Access controls to critical systems
  • Active Directory and associated personnel information
  • Results of cybersecurity assessments, audits and penetration tests
  • Internal infrastructure, from servers and storage systems to network devices and endpoint systems
  • Externally-hosted (cloud) platforms and data

A note to leaders

The technical expertise essential to effective cybersecurity resides within your business function. It is imperative that IT professionals, including but not limited to those with cybersecurity roles, have the requisite knowledge, skills, and abilities to perform their roles. This means continuous education, training, and certification to stay current in a dynamic field.

Keep your skills sharp. Ensure that you and your team members are able to address the complexities of the field, respond quickly to emerging threats, and answer difficult technical questions. Your credibility and performance depend on it!

Doing the Right Things

The following are guidelines for all individuals—as citizens, consumers and employees—regardless of business function, to avoid becoming “Patient Zero”

When organizations become the victim of a cybersecurity breach, especially in phishing-related attacks, those investigating how the exploit entered their organization seek to find “Patient Zero.” This is a term adopted from medical forensics, and is used to identify the person or group that was the entry point for a malicious exploitation into their information technology environment.

While multi-layered security protections are important, particularly if implemented in an automated fashion, the organization is still relying on individuals to do the right things.

Individuals across many levels of an organization have damaged their organization’s brand and reputation, and even lost their jobs or ruined their careers when cyber exploitations have occurred. The obvious question for personnel in these organizations is “What should I do to avoid becoming ‘Patient Zero’?” What everyone should do is, in a general sense, straightforward: become more cyber-aware and exercise better cyber hygiene to reduce cyber risks.

In the context of an organization’s business and technology environment, those organizations wanting to create a robust cybersecurity culture for their organization must implement good cybersecurity practices to mitigate their critical cybersecurity risks. Most importantly, everyone must contribute to the organization’s security. To be successful in this area, this cannot be a one-time awareness or training event, but a continuous effort to make everyone aware of current cyber-related risks and the practices their organization expects each person will perform.

As a general rule, every individual in an organization should be performing the following common tasks:

  • Exercise caution when using information systems; if you are unsure or sense you may be doing something risky, seek guidance from responsible individuals
  • Fully understand your role and take personal responsibility for knowing how your organization addresses cybersecurity risks
  • Be willing to learn, since technology is continually evolving
  • Know how to handle, control, store, transfer and dispose of information in your organization
  • Protect your assets by physically safeguarding your computer, mobile devices, and non-electronic information
  • Follow your organization’s security procedures for facilities and prevent unauthorized access via social engineering tricks
  • Use the best authentication capabilities your organization offers for controlling access to computers, mobile devices and the information services and applications you use
  • Use encryption for information in transit and at rest
  • If you work from home, secure your home devices and connections
  • If you travel, know how your organization wants you to secure your connections back to the organization through public networks
  • Know your organization’s policies and practices for using personal devices for work
  • Know your organization’s security incident reporting policy and contacts
  • Take control of your own cybersecurity and safety; don’t assume that hardware and software providers will do it for you

Source: A Publication of the National Initiative for Cybersecurity Education Working Group, Subgroup on Workforce Management at the National Institute of Standards and Technology