6 Practical Tips for Making Cybersecurity Everyone’s Responsibility

One of the unfortunate side effects of the term ‘cybersecurity’ is that it sounds very technical.

This can lead people to conclude that it isn’t their problem, but something to be addressed by a group of people somewhere in the organization who are cyber experts.

However, the human factors in cybersecurity are increasingly recognized. The World Economic Forum Global Risks Report 2022 found that 95% of cybersecurity issues were “traced to human factor.” (The most recent edition of this report still found cybersecurity to be a significant concern, but didn’t provide information about the human factor.)

As a result, an increasingly common answer to ‘Who is responsible for cybersecurity?’ is now ‘everyone.’ However, while that may be technically true – and a better answer than ‘the CISO’ (chief information security officer) – it’s not a very helpful response.

But let’s take ‘everyone’ as a starting point. Here are six practical tips for making cybersecurity everyone’s responsibility.

In this blog

  1. Acceptable use policy
  2. Other policies and procedures
  3. Mentioning cybersecurity in job descriptions
  4. Cybersecurity awareness training
  5. Role-specific staff training
  6. Granular documentation

1. Acceptable use policy

The acceptable use policy, or ‘AUP,’ is a good place to start.

The AUP sets out for staff in general what they can and can’t do in terms of the use of company IT resources. It should cover matters such as, but not limited to:

  • Avoiding risky websites
  • Choosing sound passwords
  • Not installing unauthorized software
  • Personal use of organizational equipment

Of course, many of these may be supported by technical controls as well.

2. Other policies and procedures

However, the AUP is very generic in nature. There’s also a need to set out the specific cybersecurity aspects that relate to different roles.

For example, staff in a customer support center who have access to credit card details or personal health information need specific instructions about how they protect that data.

Other activities may not fall at the door of just one individual or group.

Access control example

Take the basic issue of access control. In many organizations, it won’t be possible to identify one person or group that is responsible:

  • Managers may have responsibility for authorizing an individual’s access to certain systems
  • Systems administrators may define the complexity requirements for passwords
  • The service desk may issue and reset authentication credentials

So, both the general and specific responsibilities of staff need to be defined and assigned. This can be done in various places.

Documenting responsibilities in policies

Most organizations have a range of information security policies or sub-policies within an overall policy. Each of these shouldn’t just state the policy requirements, but also specify who’s responsible for making sure they’re met.

This requires more than just a statement of who is responsible for maintaining the policy itself. It needs to identify responsibility for the various aspects of meeting the policy – those applicable to all users and those addressed by different parts of the IT function.

3. Mentioning cybersecurity in job descriptions

A second place that the responsibilities can be captured is in job descriptions.

Many job descriptions don’t mention information security responsibilities, but are an ideal place for documenting them.

For example, it can be explicit that the head of development will define and maintain an SDLC (secure development life cycle). Individual developers’ job descriptions might mention adhering to the SDLC and security coding guidelines.

If an organization is seeking to meet a compliance standard, it’d be a good idea to also maintain a responsibility matrix to map each applicable control to the role responsible for maintaining it.

4. Cybersecurity awareness training

But assigning responsibility is only one step. It must also be supported by sufficient and targeted training.

Many organizations require all staff to undergo information security training, but it may be generic, leaving much room for improvement.

One reason so many data breaches have a human element is that many cyber attacks start with phishing or social engineering. Staff awareness training, intended for all staff irrespective of job title, should specifically include phishing and social engineering attacks – how to recognize and respond to them.

5. Role-specific staff training

But staff with more specific responsibilities need focused training. This more granular, multi-layered approach to training is increasingly recognized in best-practice standards.


For instance, in addition to general security awareness training, the PCI DSS (Payment Card Industry Data Security Standard) requires specific training for:

  • Software developers
  • Payment device tampering
  • Staff involved in incident response

PCI DSS v4.0.1 adds training specific to the languages developers use, phishing and social engineering, and acceptable use.

NIST SP 800-53

NIST SP 800-53 also addresses this. For instance, control AT-2 requires ‘security and privacy literacy training’ for system users, including social engineering (control enhancement 5).

Meanwhile, control AT-3 recognizes the need for a role-based approach to training. It leaves it to the organization to define its own roles, but suggests:

  • Personnel with access to PII (personally identifiable information)
  • Software developers
  • Incident responders
  • Systems engineers
  • Managers
  • And more

The training should include “technical training specifically tailored for assigned duties.”

6. Granular documentation

This multi-layered approach isn’t reserved for training. Best practice requires the same granular approach to responsibilities – specifically, assigning and documenting them.

For example, PCI DSS v3.2.1 required responsibility to be defined for overall PCI compliance, overall information security, and a small subset of other factors.

Version 4 expands on this: For each main requirement, the first two sub-requirements are for a specific policy and specific assignment of roles and responsibilities for the activities within that requirement.

So, who’s responsible for cybersecurity?

Everyone – but not all in the same way. Responsibility should be specially assigned and documented, and supported by tailored training.

A one-size-fits-all approach won’t be sufficient to meet the current threat landscape or achieve compliance with standards, particularly when you have to meet multiple sets of requirements.

This is where software like CyberComply can help.

CyberComply makes compliance with cybersecurity requirements and data privacy laws simple and affordable. It helps you manage all your cybersecurity and data privacy obligations in one place, covering:

  • SOC 2
  • CMMC
  • NYDFS Cybersecurity Regulation
  • SEC Cybersecurity Disclosure Rules
  • Various US breach reporting and privacy regulations
  • Many more frameworks and regulations, both in the US and internationally