Where lies the Ownership of Risks and Measures in Information Security?

By Steven Debets

Information security is everyone's responsibility! Most people who have ever been an audience member for a presentation on this subject have heard the above statement at some point. It's a true statement but one that remains somewhat cryptic in practice for many.


Because information security is for everyone; but which part belongs to me? That is not entirely clear to many people. This is unfortunate because it means missed opportunities when there is a willingness to contribute. I often hear, "I don't know about computers/firewalls/technology." I would say, don't worry, you are not expected to.

Organizational Level

At the organizational level, a lot is already arranged for the average employee. Central departments like IT and Facility Management have the role of providing standard things for everyone, such as access to networks, information systems, and buildings. Once employees understand the agreements, they can trust that they can work safely. HR requires a background check from employees, and procurement processes ensure that information security requirements are met when purchasing new assets. This "part" belongs to everyone but is not owned by everyone! The ownership of risks and control measures often lies with central departments.

Employee Level

At the employee level, it's evident that information security is a personal matter. Awareness of the subject and knowledge of do's and don'ts (don't click on that link!) are essential here. Responsibility and ownership of this "part" belong to everyone, but that is already well understood. There is often no question or confusion about this.


Where it becomes unclear for many is at the department or team level. Often, there is a lack of insight into relevant risks and the scope of action they have. What risks can my colleagues and I actually influence? What can we collectively do about them? As the figure indicates, it's at the team or department level where there is a significant influence on the confidentiality and integrity of data. Simply by the way they are used in business processes.

Risks Associated with Business Processes

By realizing that a lot is already in place and that there is individual responsibility for safe behavior, the focus naturally shifts to the missing piece of the puzzle: the risks associated with business processes. This is where the discussion should focus, and this discussion is relatively separate from the technical aspects of IT. What's needed is a good understanding of how data is handled in daily practice. Since we all have a role in our business processes, this "part" of information security belongs to you, to me, to all of us. Let's get to work!

If you want to learn more about risks and measures in information security, please contact us.

Related insights