Embracing Shared Responsibility in Cybersecurity

Introduction

Organizations face persistent challenges that traditional cybersecurity strategies often fail to address effectively. The persistent threat of human-enabled breaches, coupled with a shortage of skilled cybersecurity professionals, necessitates a new approach. Drawing upon my own experiences with Total Quality Management (TQM) principles and leading teams in National Science Foundation (NSF) funded cyberinfrastructure projects, I have developed a new methodology called Federated Cyber-Risk Management (FCR) that aims to revolutionize how organizations tackle cybersecurity challenges.

FCR offers a transformative solution based on shared responsibility for cybersecurity leading to a security-engaged organizational culture. This article explores how FCR can help organizations overcome cybersecurity challenges and build a resilient security posture.

The Evolution of Holistic Approaches

My journey into the principles of TQM began shortly after I graduated with my first degree in computer science. I worked at a company that was deeply invested in a “Quality is everyone’s responsibility” initiative. This firsthand experience revealed the power of total employee involvement, continuous improvement, and a process-centered focus.

Later, while leading teams in NSF-funded cyberinfrastructure projects, I was influenced by the Atkins Report’s call for a comprehensive view of cyberinfrastructure. The report emphasized integrated and cross-functional collaboration in cyberinfrastructure.

Both of these experiences involved a revolutionary realignment from a narrow expectation of stakeholders to a fully shared responsibility model. In the case of TQM, quality was seen as a responsibility limited to specially trained personnel in a centralized team and became the responsibility of everyone in the organization.

Prior to the release of the report “Revolutionizing Science and Engineering Through Cyberinfrastructure” (the Atkins Report), in 2003, cyberinfrastructure projects were limited to hardware and software projects, and now they also include people, organizations, and social practices.

These experiences, when combined with my other work experiences that span technical and business perspectives on building and securing systems, laid the groundwork for understanding the potential of a holistic approach to cybersecurity and ultimately led to the development of FCR.

Shared Principles

FCR shares several key principles with TQM, including the importance of total employee involvement and shared responsibility. Just as TQM emphasizes that quality is everyone’s responsibility, FCR stresses that cybersecurity is not solely the domain of IT professionals. This means every staff member has a role in maintaining security. This shared responsibility ensures that security measures are embedded in every part of the organization, not just within the IT department.

Similarly, the Atkins Report reminds us that in cyberinfrastructure, a focus on hardware and software alone doesn’t solve big problems. Instead, we need to approach with cross-functional perspectives that lead to shared responsibility between stakeholders working on the technical aspects and those working on people, organization, and social practice perspectives. An objective analysis of the challenges reveals this same truth applies to cybersecurity.

Common Challenges

Narrow Perspectives. One of the primary challenges in today’s cybersecurity landscape is the tendency for experts to view problems through a narrow lens. The parable of the blind men and the elephant illustrates how limited perspectives can obscure the bigger picture. In cybersecurity, focusing narrowly on specific areas can miss broader vulnerabilities. An assumption that cybersecurity is a purely technical topic leads to the perpetuation of organizational vulnerabilities.

Skill set Doubts. Another common challenge is the belief that non-technical participants cannot add value to cybersecurity. However, FCR recognizes the diverse skills required for effective cybersecurity and empowers all employees to contribute. Administrative controls, in particular, are prime examples of cybersecurity practices that rely more heavily on business skills than technical ones.

Unclear Risk Ownership. Finally, many organizations struggle with a lack of clarity around risk ownership. Centralizing cybersecurity within a single team often leads to confusion about risk ownership. FCR clarifies this by distributing responsibility, making it clear who is accountable for what. This transparency ensures that everyone understands their role in protecting the organization, leading to more effective cybersecurity practices.

Resource Owners and Risk Ownership

A key gap in many cybersecurity programs is a lack of clarity regarding risk ownership. Often, resource owners are business and IT stakeholders with budgetary and operational authority, along with an assumption that security teams own full responsibility for protecting the resources from breaches. Meanwhile, security stakeholders, recognizing that many impacts on security postures are controlled by non-security personnel, know they cannot own the risks exclusively.

This disconnect leads to a catch-22 as a no man’s land forms between security teams and the organizational stakeholders. Drawing upon TQM’s emphasis on ownership and responsibility, FCR helps organizations define resource owners as risk owners and security teams as service providers, allowing clear contracts to be established.

Cultivating Security Engagement

While awareness involves recognizing security risks, engagement goes a step further. Engagement means knowing what actions to take and being empowered to act accordingly. The ever-persistent problem of human-enabled breaches will not be addressed until we, as an industry, start aiming for security-engaged organizational cultures and stop settling for awareness alone. FCR focuses on fostering a truly security-engaged culture, ensuring that all employees are actively involved in cybersecurity practices. Engagement is a byproduct of participation.

Federated Cyber-Risk Management Concepts

At its core, FCR is a framework that incorporates TQM principles to address the unique challenges of cybersecurity. It is the cornerstone practice of a broader family of federated cybersecurity approaches that emphasize shared responsibility and collaboration. FCR distinguishes itself by its strong focus on shifting from awareness to engagement, recognizing that true security requires active participation from all members of an organization.

Broad Participation. Inspired by TQM’s systemic approach, FCR involves multiple departments in cybersecurity efforts. This integration ensures a comprehensive defense, as all departments work together to identify and mitigate risks.

Centralized Security Teams as Facilitators and Service Providers. In FCR, cybersecurity professionals act as facilitators, guiding and supporting other departments in their security efforts, and service providers. This role is similar to that of quality professionals in TQM, who support and promote quality practices across the organization.

Cross-Functional Collaboration. The Atkins Report’s holistic view of cyberinfrastructure aligns with FCR’s approach, emphasizing cross-functional collaboration. By adopting this view, organizations can ensure that all aspects of cybersecurity are considered and integrated.

Benefits of the FCR Approach

Addressing Staffing Shortages. By distributing responsibility, FCR alleviates the burden on limited cybersecurity staff, making better use of available resources. This approach ensures that all employees contribute to maintaining security, reducing the pressure on specialized staff.

Reducing Human-Enabled Breaches. Engaging all employees in cybersecurity reduces the likelihood of breaches caused by human error. By fostering a security-engaged culture, organizations can ensure that employees know what actions to take and are empowered to act accordingly.

Enhancing Organizational Resilience. A key outcome of both TQM and FCR is enhanced resilience. This resilience enables organizations to better withstand and recover from security incidents, ensuring continuity and stability.

Conclusion

Federated Cyber-Risk Management represents an evolution in cybersecurity, building on the principles of TQM and insights from the Atkins Report. By adopting FCR, organizations can create a more resilient, engaged, and effective cybersecurity posture. It’s time to embrace this holistic approach and take the first steps toward a more secure future.

About the Author

Sonya Lowry is the creator of Federated Cyber-Risk Management (FCR), a revolutionary approach that transforms how organizations handle cybersecurity by fostering a culture of shared responsibility. Sonya’s work centers on empowering organizations to move beyond traditional, centralized security models by engaging every stakeholder in managing cyber risks and making cybersecurity a collective effort.

With a deep conviction that cybersecurity is as much about people as it is about technology, Sonya helps organizations implement FCR to build security-engaged cultures. In these environments, every employee understands the risks and is equipped with the knowledge and authority to take action, ensuring a more resilient and proactive defense against threats.

Sonya’s innovative approach to cybersecurity is built on over two decades of experience in information technology, data analytics, and risk management, including significant leadership roles in both the private and public sectors. However, her recent focus on integrating human-centered strategies with technical solutions through FCR is what truly sets her apart as a leader in the field. Sonya is dedicated to reshaping the cybersecurity landscape by ensuring that organizations are not only protected but also empowered to adapt and thrive in the face of ever-evolving threats.