Who Is Responsible for Cybersecurity Resilience? It’s Complicated, But it Doesn't Need to Be

As our cybersecurity response capabilities and tactics continue to improve, so, unfortunately, do the tactics from threat actors. Cybercrime has increased 600% during the COVID-19 pandemic, according to PurpleSec reports and combatting these incidents is a growing problem that continues to escalate despite our best attempts at mitigation and prevention. Why does this continue to happen and what should we be doing differently? It may be time to review the role of responsibility among all involved.

Everybody Has an Obligation to Protect Data, Systems

In almost any discussion of cybersecurity, the question arises: whose responsibility is it?

• Are MSPs responsible for ensuring companies are protected?
• Are companies responsible for their own cybersecurity initiatives and measures?
• Should the government be involved with mandating cybersecurity protocols?
• To what degree are users responsible for protecting their own information?

Round and round we go.

When it comes to cybersecurity, there is often a conflicting understanding of who is responsible for ensuring the safety of company data and systems. Experts argue that the management of cybersecurity should not lie with a single entity, even when that entity is a partner who specializes in cybersecurity. In fact, most industry professionals are pushing more toward a community of shared responsibility, where every party assumes a certain level of ownership when it comes to protecting their information.

“It’s a shared need that’s bigger than a responsibility,” says Chris Spinks, managing director of Cyber Force, during a session at CompTIA’s EMEA Member and Partner Conference in London. “This is all our livelihoods. This is our parents, our kids, our businesses, those customers we meet, those customers that walk past our shops. It’s our moral code and what we have to do as human beings.” Spinks urges us to resist looking at the responsibility issue from a business perspective, adopting a personal approach instead where every user bears at least a portion of the burden.

MJ Shoer, CompTIA’s senior vice president and executive director of the CompTIA ISAO, agrees that the impact goes far beyond the business environment. “Cybersecurity is a threat to our global economy, it’s a threat to our global societies,” he said in London. “In areas around the world, we see the impact of increasing cybersecurity threats, destabilizing societies, making economies more volatile, and yes this is a moral imperative, it absolutely is.”

Given that we need to redefine the parameters of responsibility, what are the next steps?

Improving Cybersecurity Resilience

Once we begin to look at cybersecurity through a shared lens, here are some things we can do to ensure we are being more proactive:

1. Educate Users and Businesses

Most experts will tell you that the weakest link in a cybersecurity chain is the human. Breaches often occur when users unwittingly reveal credentials to social engineers or respond unknowingly to a phishing scam. “The majority of incidents could be avoided with proper education,” said Shoer. Experts suggest that the real path to resilience begins with user education.

2. Eliminate Cyber Shaming

Our current culture reinforces a lack of transparency. Unfortunately, companies who have experienced a breach are often ostracized by others. Shoer noted that “it’s time to do away with cyber shaming.” He also recommends that we “encourage people to come forward when they even remotely suspect something is out of order.” Without transparency and information regarding cyberthreats, we have little hope of combatting them in a timely and efficient way.

3. Partner and Collaborate

There has been a recent trend of MSPs trying to become managed security service providers (MSSPs). Experts caution that this isn’t necessarily the right roadmap for success. Why exhaust your resources trying to upskill or recruit for skillsets when you don’t really even know what you’re looking for? In fact, partnering and collaborating with existing MSSPs and cybersecurity experts offers more benefits than attempting to undertake those initiatives alone.

4. Be a Smart Recruiter

In tech communities, there is often discussion about a skills gap. But maybe we simply aren’t recruiting the right talent, said Spinks, who helped implement a successful cybersecurity internship program to which he gives tremendous credit for solving security challenges. “Kids understand the evolving threat because they were born during that time,” he said. “We need to define the problem and let the kids solve it.” Spinks encourages employers to use recruiting tactics that will be more appealing to younger populations in order to build a more successful hiring pipeline.

5. Encourage ‘Muscle Memory’

Cybersecurity experts often refer to response capabilities in terms of muscle memory—or how prepared a team is to respond to an incident should one occur. If you’ve practiced, you’ll be ready. If you haven’t practiced recently, you won’t be. Experts encourage tabletop exercises that include critical stakeholders. “Game it out with everyone,” said Shoer. “Lawyers, finance, stakeholders, all the way through your teams so they can see the hard cost on an incident and then share that internally.”

The Continued Struggle Against Threat Vectors

Even companies who take every measure possible to protect against cyberthreats, including what we’ve outlined above, are still at risk. Francis West, CEO of Westtek Solutions, noted at the EMEA event that ransomware incidents are up approximately 330% in the last 12 months. Rather than enhancing cybersecurity measures, many de-prioritized their efforts. “Throughout the pandemic, 91% of IT teams reported that they were forced to set cybersecurity concerns aside for productivity concerns,” added Shoer. “Think about that. That’s frightening.”

But there is hope on the horizon. Be transparent with incidents and keep working to bolster your education and safeguards and we will be well on our way to a strengthened IT.