Redefining cybersecurity roles: Beyond the IT department

By Leena Franscisco

Ransomware and other related cybersecurity terms have rapidly become household terms in our society due to the risks associated with them.

A question that is frequently asked is: who is ultimately responsible for managing these risks, and therefore, who should be held accountable in the event of a breach? Is it the IT function? Is it the Board of Directors?

Are the employees responsible? Or should responsibility fall on third parties? After all, if the function has been outsourced, does that not mean that they are responsible?

According to Proofpoint, a data breach can be defined as a data security incident in which unauthorized parties access, steal, modify, or disclose sensitive information belonging to an individual or an organization.

The IT function is primarily responsible for ensuring that systems are available for use and protected from unauthorized access through continuous monitoring.

However, in my experience, this responsibility should not be isolated to the IT function alone. Cybersecurity is an organizational issue that requires the involvement of all stakeholders. This implies that every stakeholder has a role to play in ensuring that data is protected and that its integrity is maintained.

Stakeholders can either be internal or external and include the following:

Internal stakeholders:

• Employees
• Management
• Board of Directors

External stakeholders:

• Customers
• Regulatory bodies
• Third‑party vendors

Effective information security management relies on the active participation of all stakeholders across the organization and its extended ecosystem. Each group plays a distinct but interconnected role in safeguarding information assets through the following ways, although not exhaustive:

1. Strong Governance and Oversight

The Board of Directors and executive management set the tone for information security by ensuring that cybersecurity is embedded within the organization’s governance framework.

This includes approving information security policies, aligning cybersecurity objectives with business strategy, allocating adequate resources, and overseeing management’s response to cyber risks. Regular reporting on cybersecurity posture, incidents, and emerging threats enables informed decision‑making and reinforces accountability at the highest level.

2. Policy Compliance and Continuous Improvement

Stakeholders contribute by ensuring that information security policies and procedures are not only established but are regularly reviewed, updated, and consistently applied.

Policies must be reviewed to ensure constant alignment with evolving regulatory requirements, technological changes, and emerging cyber threats.

Employees, management and third parties alike are responsible for understanding these policies and adhering to them in their daily activities, thereby reducing the risk of control breakdowns.

3. Awareness, Training, and Cyber Hygiene

Employees are often in the first line of defense against cyber threats therefore, ongoing cybersecurity awareness and training is essential to equip stakeholders to recognize phishing attempts, social engineering tactics, and other common attack vectors.

Additionally, fostering good cyber controls—such as using strong passwords, enabling multi‑factor authentication, and securing devices—stakeholders significantly reduce the likelihood of human‑error‑related breaches.

4. Vigilance and Incident Reporting

All stakeholders should remain vigilant and proactive in identifying and reporting suspicious activities or potential security incidents.

Timely reporting enables rapid response and containment, minimizing potential damage. A clear, well‑communicated incident‑reporting process encourages transparency and ensures that issues are escalated and resolved in a timely manner.

5. Secure Use of Systems and Information

Responsible system usage is a critical contribution to information security. This includes locking workstations when unattended, restricting access to sensitive information on a need‑to‑know basis, using securely storing passwords, and avoiding the use of unauthorized software or devices. These basic but essential practices help prevent unauthorized access and data leakage.

6. Third‑Party Risk Management

External stakeholders, particularly third‑party vendors and service providers, play an increasingly significant role in the organization’s information landscape. Effective information security management must require third parties to be subject to due diligence, contractual security requirements, and ongoing monitoring. Holding third parties accountable ensures that outsourced services do not become weak points in the organization’s cybersecurity posture.

7. Culture of Shared Responsibility

Ultimately, stakeholders contribute most effectively when information security is viewed as a shared responsibility rather than a technical obligation. Building a culture that values security, accountability, and ethical behavior strengthen organizational resilience and supports the protection of information assets, stakeholder trust, and organizational reputation.

In an era where cyber threats continue to evolve in sophistication and frequency, cybersecurity can no longer be viewed as a technical issue confined to the IT function. Rather, it should be viewed as a shared responsibility that demands commitment, accountability, and vigilance from every stakeholder within and beyond the organization.

In a nutshell, a strong cybersecurity posture is not achieved through systems and controls alone, but through a culture of awareness, ownership, and collective responsibility—one that protects not only data, but trust, reputation, and long‑term sustainability.

*Leena Franscisco is the Group Internal Auditor – Information Technology