If you boil down the factors that contributed to the cyber-attack on the Florida water system earlier this month, this is what comes to the top: the IT person is not in charge of deciding the amount of risk the entire organization takes. As the CEO that statement should make you cringe.

This is an all too common moral of many breach stories.

The IT person, or department, is too often and unknowingly allowed to decide on the risk levels of an entire organization. Meaning, it was never the intention for them to decide the risk tolerances, but it slowly became that way. The IT function for an organization is charged with making technology available for employees to do their jobs.

The confidentiality, integrity and availability of the systems where that information is held and shared should not be decided upon by the IT staff. That is the job of the security and compliance team. You have to separate the lock from the key.

The best IT teams we work with understand where the left and right lateral limits exist. They have a role in the security function, but the level of cyber risk an organization takes on is decided by the leadership, with the help of the security and compliance team.

IT is involved, but not in charge. Most IT teams don’t want to be, so ask your IT leader if they have been operating this way, and therefore slowly been boiling in the water of outdated decision-making from years past.

You have to manage your cyber risk, not surrender to it.

More information about the Florida cyber attack can be found in several links/ sites out there, here are a few:

https://www.nbcnews.com/tech/security/lye-poisoning-attack-florida-shows-cybersecurity-gaps-water-systems-n1257173

https://www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html

https://krebsonsecurity.com/2021/02/whats-most-interesting-about-the-florida-water-system-hack-that-we-heard-about-it-at-all/

 

BACK TO BLOGS