Security is NOT everyone’s job in the company. Stop trying to force the issue. It’s security’s job to enable, incentivize and protect.
In the Marine Corps, I was taught that every Marine is a “Rifleman”, meaning that any Marine, no matter their MOS (Military Occupational Specialty) - aka their job, could be called upon to engage with the enemy using a rifle or other weapon. This meant that every Marine must be trained, and regularly re-trained/tested, to ensure their proficiency with a rifle. Other branches have similar stances or sayings.
I believe the mindset that every person in a company has a stake in it’s cyber security came from veterans. That or it came from the realm of safety, which I 100% support. Safety is everyone’s responsibility. Now is where some of you are equating cyber security with safety, and yes, they do sometimes overlap.
However, in most cases, cyber security has nothing to do with the safety of a corporations personnel, customers, or it’s community.
So what am I saying? 3 things:
Number 3 is super important. If you allow people to talk negatively about another group in your company it will quickly become the law of the land, and will decrease motivation to find equitable solutions or even have equitable conversations.
At the end of the day, we, the security community and vendors have to do a better job at solving problems and rejecting solutions that just perpetuate the status quo.