It’s impossible to establish a security culture within a corporation if such a culture doesn’t already exist within IT.  IT is responsible for too many of the pathways and processes that can be manipulated by malicious actors to avoid playing a central role in cybersecurity defense.  If the entire IT organization doesn’t take its cybersecurity responsibilities seriously, what hope can there really be for establishing such a culture throughout the enterprise? While IT cannot establish an enterprise-wide security culture on its own, it should provide an example of such a culture that other functional departments can emulate.  Unfortunately, this is rarely the case.  There are too many IT shops in which security responsibilities have been delegated to a small team of security professionals and are largely ignored by other staff members.  Many IT groups outside the security team routinely dismiss, disregard or debate instructions to insert more rigorous safeguards into their existing technology stacks or operational procedures.  Furthermore, it’s not uncommon for individual staff members to express dismay or indifference when asked to assist in the resolution of security-related audit issues or the response to specific security incidents.  Security training is frequently regarded as a waste of time and an unwarranted intrusion on an individual’s other, more pressing responsibilities.

Read full article on CIO.com