When I write, I sometimes have a topic in mind, and look for an interesting way to introduce it. This time, I ended up going down an unexpected path, but I really liked the stream of consciousness through which the dots were connected, so I decided to follow them.

I wanted to start off with the idea of us all being together, so I searched “all in this together”, but all I could find were references to the song from the show High School Musical, which is not really to my taste. I then tried to refine the wording to “all together now”, which led me to the Beatles song – frankly, not one of my favourites - and anyway, I had already used Yellow Submarine in a prior post. (I briefly considered Tom Lehrer’s “We Will All Go Together When We Go”, but decided it didn’t really convey the idea I was looking for...)

I kept searching, found the video above, and thought it referred to a song called “All Together Now” by “Florence + The Machine”. Now, I had heard of the band and recognized the song, but didn’t know it’s title (which was actually “Dog Days Are Over”). It was really a good performance, though, and #TIL that there was a British reality show called All Together Now, which had a panel of 100 music experts and performers as judges. Interesting!

I still wanted to talk about the idea of all being in this together, though, so...

Picture a hospital.

Wikipedia defines a hospital as a “health care institution providing patient treatment with specialized health science and auxiliary healthcare staff and medical equipment.” As always, you can dig into almost any of those terms and find a near-endless series of rabbit-holes. For most of us, though, when we think of hospitals, we think of doctors.

Does that mean that a doctor is responsible for the health of everyone who comes to the hospital?

Well yes, but a doctor obviously cannot be entirely responsible for all aspects of every person’s health. Wholly aside from the fact that there are dozens of specialties and sub-specialties within the practice of medicine, a doctor simply can’t do everything.

To start with, how effective would a hospital be without nurses and their various specialties?

And what about orderlies and support staff? Or laboratory staff and technicians needed to process the tests needed for diagnosis and monitoring? How about medical imaging, such as x-rays, ultrasound, or MRI? Or the technicians needed to keep the machinery running?

And what about other health professionals, like dietitians, pharmacists, and physiotherapists?

On top of everything else, how do you keep this large group of people organized? You need administrative staff, clerks, managers, and many others just to keep things operating.

What about patients? The best healthcare must include the patient as well, so it’s necessary to provide education regarding the best options for healthy living, and provide information regarding the options available in various situations.

Sounds complicated, huh? Everyone involved is necessary to support the mission of providing healthcare, and it’s vital to recognize and appreciate this fact in order to support the best possible health of patients.

Now consider InfoSec.

Is the Information Security team responsible for an organization’s security posture? Yes, in that their role (and usually their training) is focused on security, but there are endless specializations within InfoSec as well. Is a penetration tester the best person to manage a company’s data classifications policies? Is a lawyer the best person to reverse-engineer a sample of potentially-malicious software?

Like doctors at a hospital, there’s no way InfoSec can ensure security across an organization. InfoSec is also different in that it is essential to to mission of a company, rather than being the mission of a company in the way that a hospital is. So, most people outside dedicated security teams have roles that go beyond security.

Still, can a company be secure without the networking team? Server operations? System and Database administrators? Application operations? What about end users? And how can leadership support all of this?

The key to all of this is the recognition that security, like healthcare, must be a group effort, and it’s most effective if everyone understands their role.

How do we do this?

Education is usually a good place to start. It’s important to explain how everyone’s role fits into the broader security mission, and provide the tools to support that mission. It’s also important to create environments which promote effective policies.

Take vulnerability management as an example.

If an organization treats vulnerability management as a technical exercise, pushes lists of vulnerabilities to technical teams, then holds those teams accountable for resolution, the result will often be conflict with business and product teams wanting to focus on enhancements.

On the other hand, if an organization treats vulnerability management as a product exercise, pushes lists of vulnerabilities to product teams, then holds those teams accountable for resolution, the result will often be conflict with the technical teams wanting to ensure sufficient testing and system stability.

But, if we treat vulnerability management as the responsibility of everyone, and hold both technology and business teams accountable for resolution, the shared mission will help to minimize conflict between teams, and encourage them to find an optimal approach to integrating vulnerability management into normal processes.

Simple, right?

Sorry, no. Not simple. It can be a long and painful road, but it’s necessary, more effective, and eventually becomes a normal part of operational life. Like testing, if security is simply a part of the way things are done, it becomes something that everyone participates in.

We really are all in this together.

Cheers!