The Problem With Cyber Security Being Everyone’s Job
The cyber security consultants and social media luminaries like to say that “cyber security is everyone’s job.” A great statement and certainly true to some extent.

What’s worrisome is that it’s a statement that is almost too easy to say, especially if you aren’t “on the blame line” for execution. It sounds great.
But, without something actionable, it’s just a platitude. It’s another phrase like “don’t do drugs” or “don’t get into car accidents.”
And, that’s a problem.
So, if you want “security as everyone’s job” to be true in your organization, someone will need to provide context, meaning, and actionable expectations to the statement.
That someone is you, the cyber security practitioner.
The obvious fact is that the goal behind this saying isn’t that we want every person is to be a full fledged security practitioner like you. We want employees to be vigilant on key aspects of cyber security and cyber hygiene in the course of their own job. That could be finance, contracts, warehouse management. Whatever. They’ll need a reason to take on what they’ll view as additional work.
So, rather than focus on our needs as a security team, we need to find ways to compel each employee to follow good security practice within the day-to-day work that forms their role.
- You’ll need to understand what motivates other employees.
Culture impacts the ability to make change within a “tribe”. What is about the organization that makes them a tribe? Who are the informal leaders within the organization? These could be the levers that you need to create an informal peer pressure to be more secure. In some organizations, it might be the importance of protecting the company reputation and brand. In others, it might be aggressive reveue growth. The lever that compels others is yours to find.
- You’ll need a good story.
Good stories help provide context to broad audiences in an easy-to-understand way. While you’ll be telling this story to groups, you’ll intertwine the culture and motivation levers so that employees individually feel like they are the star of the story that you tell.
Hone the right message at the individual level and everyone will collectively feel like they own the responsibility for security.
- You’ll need to set expectations and give guidance
You’ll need to make the message actionable. Employees should know what the expectations are on them. The expectation can’t be that they’ll read a 10 page security policy but it can be that that we ask them to follow a set of 3–4 bullet pointed practices each month/quarter. Having a format in which you can explain the “why” behind the rationale for key policies will also increae the uptake and internalization.
- The cyber security team will need to change their approach
Employees won’t able to internalize ownership of key aspects of security if the security team is still trying to own all of the business processes. Your team have to find time for new skills as well. You’ll need engagement plans and negotiation skills that help others make cyber security their job.
If security is everyone’s job, there is no “everyone” for a cybersecurity team that is working in a vacuum.
This means taking off the mask, and looking up from the tool consoles and the framework documentation to engage with people.And help them. Engage with everyone, actually.
With the above approach, you’ll have a shot at making security compelling enough and actionable enough to make security part of everyone’s job.
You’ll know that you’ve made it when everyone can have ownership of their part of cyber security too.

