Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice
  • 18 July 2023
  • 5 min read

Is cyber security the responsibility of all employees?

Every employee is a vital cog in your cyber security culture. The days of the CISO being an organisation's cyber security lighthouse are in the past but how do we encourage shared responsibility?
FAQ is cyber security the responsibility of all employees

While the role of the Chief Information Security Officer (CISO) in safeguarding sensitive data and protecting against cyber-attacks is well-established, it is still important to ask: who is responsible for your organisation’s cyber security?

In this article, we shed light on the shared cyber security responsibility that lies with every individual and highlight why it is important for employees at all levels of seniority to take ownership of their cyber safety.

The threat landscape

With the rise of sophisticated cyber-attacks as a result of tools such as ChatGPT and virtual reality, and the increasing interconnectedness of systems across a whole host of industries – every single employee will find themselves exposed to a potential threat surface. The days in which cyber security responsibility fell solely at a CISOs doorstep are well and truly in the rear view mirror – commerce is far too connected for one individual to be responsible. Cybercriminals often exploit vulnerabilities arising from human error, making every employee a potential entry point and target. From phishing emails to ransomware, the threat landscape demands a collective effort to mitigate risks effectively.

We need CISOs and board members to drive the security-mobile

CISOs play a pivotal role in establishing an organisational culture that prioritises cyber security, but they aren’t the only management/executive level employees that we need engagement from. CISOs, board members and C-suite executives must lead by example, promoting awareness, education, and best practices throughout the organisation. By fostering an environment that encourages open communication, collaboration, and continuous learning, CISOs can create a strong foundation for cyber security at all levels.

Your employees will face unique cyber threats

Every employee, regardless of their role, should possess a fundamental understanding of cyber security risks and best practices. Why? Because every single employee is at threat of a cyber-attack or pitfall at any moment and, importantly, your employees aren’t all at risk of the same cyber threat. You must ensure your training programs cover topics such as password management, email security, safe browsing, and data protection for all employees but you also need to tailor your cyber security awareness and training. For example, your reception or client-facing staff will need additional training on physical workstations and clear desk, clear screen but your remote workers will need a different focus. By offering regular and relevant training sessions and resources, organisations can empower employees to become vigilant defenders against cyber-attacks at their own pace. A massive added bonus of individualised or segmented training is an added sense of encouraging employee development, fostering a sense of loyalty and respect between employee and employer.

You can’t escape human error

When you navigate the cyber security industry, you will see many organisations purporting to hold the one-stop solution. But they all want to ignore the fact that human error remains the significant factor in successful cyber-attacks. You can add digital tools and platforms into your framework to help your employees but what if that adds another layer of complexity when it really isn’t necessary. Unintentional actions, such as clicking on malicious links or falling victim to social engineering scams, can have severe consequences but they can be trained out by effective messaging. By emphasising the impact of individual actions on the overall security posture, organisations can encourage employees to adopt a security-first mindset and exercise caution in their digital activities.

Spot something, say something means everyone

Creating a culture where employees feel comfortable reporting security incidents or potential vulnerabilities is crucial. Fear of retribution or a lack of awareness regarding reporting channels can hinder the identification and mitigation of cyber threats. CISOs should establish clear reporting procedures, highlighting that early detection and swift response are vital in minimising the potential damage caused by security incidents. You need every employee to live by the mantra of ‘spot something, say something’. It’s no use having a long, sturdy line of soldiers if the tenth man in line has his back turned and his hands over his eyes.

Evolving threats = Evolving education

Cyber security is not a one-time effort. Shock, horror, it requires continuous education and awareness, and this is not just an organisational responsibility but also a personal responsibility. Even minus your working environment, every single person should be wary of their digital footprint and the information they are putting out there. Organisationally, CISOs should implement regular security updates, share industry news, and provide employees with resources such as newsletters, blogs, or a learning management system where they can access information as and when they require. Personally, employees need to stay informed and up-to-date due to emerging threats and ever-evolving best practices.


Cyber security is a responsibility that extends to every employee within an organisation.

CISOs, as leaders in information security, must foster a culture of cyber security awareness and training, instilling a sense of shared responsibility among employees.

By empowering employees with knowledge, providing ongoing education, and encouraging reporting, organisations can significantly enhance their cyber security posture and effectively mitigate the risks posed by cyber threats.

Remember, in the realm of cyber security, collective defence is the key to success. If you can frame cyber security responsibility as personal growth and safety, you will see a massive difference in development and knowledge retention.

If you would like more informationabout how The Security Company can help you to create a cyber security training and awareness program or how we can run a behavioural survey to pinpoint lax behaviours and suggest ways to improve ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.

Written by
Nas Ali
Cyber security and awareness content creator focused on emerging threats and the next wave of cyber security risks like AI, deepfakes and tech 4.0 initiatives in order to build towards a more secure organisational culture.
View Profile

See how we can help you protect your organisation today?

Circle 01
Circle 02
Circle 03

Join our mailing list

Subscribe to the TSC newsletter to receive exclusive news and advice