The Myth of Shared Responsibility
The uncomfortable truth is that "shared responsibility" is a myth that allows organizations to talk about security without making consequential changes to incentives and accountability structures.
"Security is everyone's responsibility" - this well-intentioned mantra echoes through corporate hallways, yet organizations continue to struggle with security breaches and vulnerabilities. The uncomfortable truth is that shared responsibility often means no responsibility at all, especially when it comes to cybersecurity.
The fundamental problem lies in misaligned incentives. While security teams are measured by incident rates, compliance metrics, and risk reduction, other departments focus on speed to market, feature delivery, and revenue growth. When these priorities clash, security typically loses. A product team racing to meet a launch target is unlikely to prioritize anything that could delay release dates. Business units under pressure to improve productivity might bypass company policies and share regulated data through unauthorized cloud services. Marketing teams might deploy leaky tools to meet campaign deadlines.
This misalignment creates a dangerous asymmetry of consequences. When a security breach occurs, the security team bears the brunt of the fallout - late nights, incident reports, and challenging questions from leadership. Meanwhile, the departments whose actions contributed to the vulnerability often face no direct repercussions. Their performance metrics remain unaffected while security cleans up the mess.
The solution isn't more security awareness training or stern emails about compliance. Instead, organizations need to fundamentally rewire how security impact flows across departmental boundaries. Here are a few ways that security teams can drive meaningful change:
Make Security Impact Visible
Security metrics are most effective when they’re integrated into departmental KPIs and performance reviews. If an engineering or product team's metrics don't account for security debt, they'll continue to prioritize speed over safety. If procurement's vendor assessment process ignores security risks, they'll likely choose the cheapest option regardless of vulnerabilities.
Transform Budget Conversations
A good percentage of security professionals allow other departments to treat them like a cost center that can be ignored. This perception is difficult to change if other departments don’t know or feel the cost of their security risks. How would you persuade a team who wants to deploy a new tool that they should factor in security assessment and ongoing monitoring costs? This creates natural incentives to choose secure solutions and follow security protocols.
Reframe Security as Business Enablement
Help other departments understand how good security practices can accelerate their objectives - from faster deployment pipelines with built-in security to improved customer trust driving sales. Track and measure your impact, then report it up the chain.
Measure What Matters
Move beyond traditional security metrics to track business impact. Instead of reporting on vulnerability counts, show how security improvements reduce deployment delays, increase customer satisfaction, or improve sales win rates. This helps other departments see security as a valuable opportunity rather than a burden.
The myth of shared responsibility persists because it's comfortable - it allows organizations to talk about security without making consequential changes to incentives and accountability structures. Productive security (rather than performative or checkbox security) requires moving beyond this myth to create tangible consequences and rewards that align departmental behaviors with security objectives that extend beyond the security team's boundaries.
What Do You Think?
Join my friends at Credible Security and me on Tuesday, February 25, for a livestream that challenges the popular corporate mantra "security is everyone's responsibility" and reveals why this well-intentioned approach often leads to security failures.
We'll explore approaches that go beyond awareness training, including integrating security metrics into departmental KPIs, transforming budget conversations, and measuring what truly matters for your business.
Don't miss this candid discussion about creating meaningful security accountability. Perfect for security professionals, department leaders, and executives who want to move beyond performative security to build truly resilient organizations.
Location: youtube.com/@CredibleSecurity
Date: Tuesday, February 25, 2025
Time: 11:30am-12:30pm ET