- January 16, 2023
- Posted by: Pat Riot
- Categories: Compliance, CyberSecurity, Governance

Cybersecurity risk is a major concern for companies of all sizes and industries. With the increasing amount of sensitive information being stored and shared digitally, the potential for data breaches and cyber attacks is at an all-time high. But who should own the responsibility of managing cybersecurity risk within a company?
One of the most common misconceptions is that cybersecurity risk is solely the responsibility of the IT department. While the IT team plays a crucial role in implementing and maintaining security controls, they cannot be expected to bear the entire burden of cybersecurity risk management. Cybersecurity risk affects all aspects of a business, and therefore, it should be owned by all members of the organization.
The first step in managing cybersecurity risk is to establish a culture of security within the company. This means making sure that all employees understand the importance of cybersecurity and the role they play in protecting the company’s sensitive information. Employees should be trained on basic cybersecurity best practices, such as creating strong passwords and identifying phishing scams.
One key aspect of managing cybersecurity risk, as defined by NIST, is assigning ownership and responsibility to specific individuals or teams. This might include creating a cybersecurity steering committee, made up of representatives from different departments, to manage risk across the organization. The committee should be responsible for establishing policies and procedures for managing cybersecurity risk, and for communicating these policies to the rest of the company.
Another important aspect of managing cybersecurity risk is regularly reviewing and updating the company’s security controls. This includes evaluating the effectiveness of current security measures, identifying new threats and vulnerabilities, and implementing new controls as necessary. The IT team should play a central role in this process, but it should also involve input from other departments, such as finance and human resources.
Cybersecurity risk management is not just the responsibility of the IT department. It is a business-wide responsibility that should be owned by all members of the organization. By creating a culture of security, assigning ownership and responsibility, and regularly reviewing and updating security controls, companies can effectively manage cybersecurity risk and protect against potential data breaches and cyber attacks.
If you are struggling with meeting cybersecurity compliance and getting your company ready for an audit, our Governance Navigator Service might be right for you.