“Security is everybody's job.”

—Tanya Janca

It is every person's responsibility to perform their job functions in the most secure way they know how; otherwise we are breaking the trust of our employer. If there are security policies in our workplace, just like any other policy of our organization, we must abide by them. When we are hired, our employers trust us to do the best work we can, in good faith, and this includes security-related work.

If you work in a security role, you know better than anyone else that we cannot possibly perform all of the security work on behalf of everyone in our organization. We cannot be there every moment when security work needs to be performed. For instance, we can't be there every time an employee decides if they will allow someone to tailgate them into the building; we can't be there when they choose weak or strong passwords; we aren't watching over their shoulders as they code to make sure they follow our guidelines. It's impossible to verify every single action taken that applies to security, no matter how hard we try. This means we have to educate and then trust that employees have honest intentions and do their best to perform their jobs in the safest and most secure way possible. We trust them to help secure our organization, systems, data, customers, and employees.

Some argue that “if security is everybody's job, then it's nobody's job,” but this could not be further from the truth. Someone on the security ...