Password Management Is Much More Than an IT Problem

Two years ago the CIO at Quest Credit Union  had no problem extending responsibility for password management beyond just the IT department. That’s because C-suite executives were using a password management solution for personal use. Thus getting the the organization aligned with an enterprise password management solution was almost automatically a shared responsibility.

There are many compelling reasons why small and mid-sized businesses (SMBs) absolutely must make password management an organization-wide effort, not just an issue delegated to IT. Unfortunately in many SMBs today, this responsibility is left entirely with IT. In doing so, these organizations run the greater risk of failing to build a risk-aware culture across the organization – an effort aimed at ensuring every employee knows exactly why cybersecurity is mission-critical today.

The landmark Ponemon Institute State of Cybersecurity in SMBs, which polled some 600 SMBs, found that 71% of respondents emphasize password protection and management as important. Surprisingly in 60% of these businesses, IT has no visibility into employee password practices. In SMBs that do have password policies, 65% do not strictly enforce them.

Could the reason be that IT alone does not have the weight or influence to affect password policy enforcement?

A recent report from PwC piles on even further. In its Global Economic Crime Survey 2016, PwC says that all too often non-IT executives are more than willing to pass the buck to IT when it comes to cybersecurity in general, of which password management is a key element.

This is wrong, PwC maintains, adding that responsibility for all aspects of cybersecurity “must be embedded within an organization’s culture.” Non-IT executives must “incorporate cybersecurity into their routine risk assessments and communicate the plan up, down and across organizational lines, ” PwC states.

Juliet Maina, an attorney who frequently writes on cybersecurity and the law, suggests that non-IT executives may put their organizations at risk if they cannot show a concerted effort to involve themselves in cybersecurity strategy, including password management. “Cybersecurity is and needs to be acknowledged as an executive level concern,” she notes. “As the leader of a company, one ought to be aware of the defense strategies that are in place, and ensure that holistic approaches are taken towards ensuring security and the protection of investments. This top-down approach is crucial for success.”

With password management being a key element of an overall cybersecurity strategy, what can be done in practical terms to begin to shift the responsibility for such strategies to a broader coalition of C-suite managers? As it turns out, IT can take the lead in this important, company-wide effort.

Educate, don’t scare. Many C-level executives shun cybersecurity involvement and responsibility because they don’t fully comprehend the supreme value of data in their own organizations – and therefore the dangers of a breach or attack. It’s easy to see why matters like data compliance and regulation might not interest them. Your job as the IT leader is to put those matters in proper context. Non-compliance, breaches and attacks have very real and very costly consequences. The PwC report shows that only 37% of organizations have a management-backed cyber incident response plan in place. Now is the time to distinguish your SMB from the majority of companies where senior management is a silent partner in password management and cybersecurity.

Cybersecurity is mostly about people Ask most C-level SMB executives if their companies are protected and they’ll likely answer, “Sure. We got firewalls and antivirus stuff.” As the IT leader you know the reality is that it is human error, or deliberate acts by employees, that are at the root of cybersecurity challenges. Getting senior management firmly behind a comprehensive password management strategy is one of the fastest ways of reaching virtually every single employee with a powerful, unified message that cybersecurity is everyone’s responsibility. When senior management endorses and funds such a password management strategy, every worker becomes responsible and accountable for cybersecurity.

Cybersecurity is not a one-off. It is one thing to get senior management involved in a password management and general cybersecurity strategy, and another to keep them involved. That’s why part of the education of the C-suite is the message that security is an ongoing, evolving endeavor that needs regular review meetings. These are best led by IT leaders, who are well suited to put changes to the threat environment in concrete business terms. It is this periodic engagement with senior management that can ensure password management and cybersecurity is never again considered ‘just an IT problem.’