Should CyberSecurity Be An IT Thing?

Before we can answer who should be in charge of Cybersecurity…

What is Cybersecurity?

Here is Google definition:

“The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.

So Cybersecurity really means to patch and upgrade your devices.  Configure devices so unauthorized access is not possible. create good security practices that reduce the chance of  Cybersecurity ‘events’. I.e. we want the people that are supposed to use computer resources to use them not others – like criminals or ransomware bots.

ISACA (Information Systems Auditing and Control Association) has another cybersecurity definition that adds CyberRisk.

“To understand Cybersecurity we must define the term cyberrisk”

“Cyberrisk is not one specific risk, it is a group of risks, which differ in technology, attack vectors, means, etc. “

The problem with this definition is that you have to have an understanding of risk, which is fine for most IT professionals, but the risk in IT is not understood by IT lay people(people that do not understand IT).

The CxO makes the decisions ultimately and cannot understand IT to the depth most IT people understand. So there will always be a gulf of misunderstanding. But the CEO does understand business risk, so we as IT professionals need to set up an environment where we can explain cybersecurity in terms of business risk.

The disconnect is as to what can happen and how much money needs to be budgeted to ensure that Cyberrisk is minimized?

Due to Cyberrisk of Ransomware – enough resources must be budgeted to ensure there is enough to successfully complete a Plan A or Plan B

  1. Plan A – patch all systems (assuming resources available)
  2. Plan B – If you do get attacked with ransomware – better have a functioning backup.

Your decision loop takes longer than the attackers which all they do is find new exploits and attack.

Businesses have to budget, purchase stuff, and execute. This always takes longer than the attacker finding new exploits.

So the attackers are always ahead of the game.


Now how should we answer the question? Who should be in charge of Cybersecurity? Should IT be in charge?  I think that there is no way around it, the new executive must understand a  certain level of Cybersecurity to talk to IT in a good manner(with understanding) and since Cybersecurity affects the whole company only the Senior execs should be in charge. But they just drive the whole thing (or are supposed to). The true answer is everyone is in charge of security

Contact Us to discuss your Cybersecurity cyberrisk.