Cisco Blogs

Security – Who is Responsible?

January 14, 2010 - 4 Comments

Do you view your security posture in the office as more or less important in comparison to your residence? And how does that compare to the personal security profile that you exercise for you and your family? Who should be shouldering the security responsibility? I posit — you are responsible. And I would add that you also need to hold yourself accountable.

At work you may rely on yourself. If you are fortunate to work for a company with resources focused on security, you may, dare I say, share reliance with a few groups. These groups include the “information security” team who attempts to keep information safe (be it data, network, laptop or smart phone), the “physical security” team who keeps your building safe from intruders, and the local “industrial police force” responsible for keeping your person safe and secure. Such reliance is appropriate. In each instance the person or entity you are relying on the most is also relying on you at least as much, and often times more so.

An example from the physical world: when you ride public transport you rely on the operator of the vehicle to drive in a safe and secure manner and obey the “rules of the road.” These rules are designed to keep order as we meld in amongst the chaos we affectionately call “traffic.” The operators are also relying on you to make the right choices (how to enter and exit, pay fares, sit and stand, etc.) and to understand the consequences — be they intended or unintended — of your choices should you not follow the rules. This is the accountability part of the equation — you own the end result of your choices and actions.

Throughout my 30+ years involved in the practice of security it has been my experience that too often people ascribe responsibility for their security to others. When is the last time you heard someone say, “It is my responsibility to be secure! It is my responsibility to maintain security!” or conversely, “Today I am going to be insecure!” It just doesn’t happen. Though the reality is that every single day my actions demonstrate my desire to be secure and maintain security, and perhaps yours do as well. And yes, it has also been my experience that occasionally I’ve made choices which have caused others to say, “What was he thinking?” and conclude, “There wasn’t any thought process engaged.” I will try to keep those instances to a minimum. However, we all bear responsibility for our own security.

Let me share a few of my thoughts:

Security — what’s a right choice? Fundamentally, understanding why one choice is superior to another in contributing to your security and maintaining your security is how one measures success in remaining secure. I am mindful that a list of suggestions or admonishments of “what not to do” is of little value, whereas a discussion on “how or why” carries utility, and therefore value.

So sticking to my previous automobile analogy, let’s compare how we are responsible for our security both in the physical and online world. When we wish to use an automobile, we are required to go through a number of steps even before we get the vehicle rolling. During the drive, we adhere to the rules of the road (drive on the appropriate side, use our signals, stop at red-lights, go when green, etc.). When the engine light illuminates, the brakes start to screech, or the steering pulls too far left, we take note and either perform the required maintenance or we take it to the garage shop for service. We correct. The mechanic isn’t sitting in the backseat providing telemetry surrounding your vehicle’s operation, and unless my grandmother is in your backseat, you’re probably not being told how to steer, accelerate or brake. You are responsible. All of these actions are the responsibility of the operator — the user. You, the user, will decide “How do I maintain my vehicle and operate it?” When you violate motor vehicle laws (and are caught), what occurs? You receive a ticket and tickets carry consequences. In the US the consequences might include a monetary fine, points on your license and, for some, a mandatory trip to court. With choices and actions come consequences.

You see where I am taking you. In the online world, we have the same basic responsibilities for security as a driver has in the physical world for safety. I personally strive to know and understand the best possible security protocols available to me in my work environment. Why? Because I know that the individuals and teams which create the policy and procedures and those teams which research and select the software/hardware I use are to keep me and my experience safe. My responsibility is not to undermine the work of others. If I don’t have that support apparatus, then I rely on the reviews and advice available, make my choices and purchases. I should, if I am thinking rationally, make sure I have my auto-update set for the software, as this is the means by which the vendor updates and secures previously unknown vulnerabilities. What if I am a singleton or small business who doesn’t have a security team supporting me? Is my lack of a support team in and of itself a vulnerability? Not in my view. You can still use the preferred practices of the industry — strong passwords; non-duplicative passwords across third-party environments; keeping the security software engaged in the “on” vice “turned off” due to the software-stealing CPU cycles and it slowing the system. And have a defined process of what happens if an anomalous event is observed. In my case, I take note, and I take action — I contact those who support me, and I research the security of my applications when alerted.

How do I know this? Osmosis? No. Just as I learned how to drive and maintain an automobile, I must learn how to be a responsible user. This takes education. When I learned to drive I took driver’s education. Why wouldn’t I take computer user education? I read, trained, and practiced prior to being tested for my vehicle operator’s license, and tested I have been — in every single state or country I’ve resided. I avail myself to any and all training presented so that my and my family’s online experiences are safe and secure. If I undermine my own secure computing environment what are the consequences? At work I might lose sensitive company data; at home I risk losing personal identifying information, account information or family memorabilia.

In closing, wear your seat belt when riding in a motor vehicle; don’t self-inflict wounds upon yourself in your online experience — use strong passwords, keep your security software up to date, and backup your data.

Thank you for your time,

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Erin, Greeze and Andrew – thank you all for taking the time to both read the piece and provide your comments. Erin – thank you, your absolutely right it’s about lowering the risk to the individual user – Defined as a family and their PC or an individual as part of a corporate network. Awareness and education is one of the ingredients. Thanks for all you do in this regard.Greeze – thank you, your comment, that it is about choice is spot-on – we all have the opportunity to choose and through those choices come the responsibility and accountability for the outcome.Andrew – 100% is always a challenge; I think of it as an aspirational goal. A goal worthy of pursuit.Thanks again,Christopher

  2. I agree that security ever evolving, and much like Christopher’s example, driving is not 100% safe either. I’m sure we can all agree that all steps we take as precautions start to minimize our exposure to risk. Great perspective on the topic.-Erin

  3. This post about security reminded me about the author of whose Google and Gmail account got hacked into sometime last month. Since the author is quite a technical person himself, it’s just scary that no matter how secure we try to be, especially when we’re online, it just doesn’t seem to be enough.It’s like, even if we have cctv and alarms installed in our home, we still need to learn some basic self defence skills just in case the robbers manage to break in.To me, I feel that it’s really important for the software / product manufacturers to ensure that their users are safe.For example, if Gmail was hacked into, then it’s Google’s Gmail security team which should be accountable for, whether or not it’s IE 6’s fault.Another example, as a Microsoft OS user, I would expect Microsoft to provide me an OS which is secure and problem free. They recently launched Microsoft Security Essentials – a free antivirus, which I think is a good move in attempting to secure their users from computer viruses and malwares. But then again, some prefer to go for Macs instead of Windows PC because of there’s hardly any viruses for Macs.I guess in response to this article on who should be responsible for security, YES, it should be ourselves because the ultimate choice lies with us on which products we choose, besides practicing safe computing. Logically, we would go for a product which can assure us total security.One article which I would like to share: Top 5 security predictions for 2010

  4. Security is something which you can never get 100%. All we can do is try to protect ourselves from the very obvious, but if someone wants your information they’ll get it. Even if you lock down your systems 100%, you can still get social engineered. I dunno, maybe someone comes by wearing a fake cop uniform, with a fake warrant to seize your servers. Most people would just hand things over, without ever double checking that it’s real. So work on security, but you have to realize that nothing is ever 100%