it is everyone's responsibilityToo often our human selves will happily put off some responsibilities on others if we can find any small reason for doing so. It may not be our best quality but it is certainly one that bonds most of us together. I personally can’t name anyone that would say sorry I would like to take responsibility for something I think is your responsibility. In our world today we all need to take responsibility for helping protect the group as a whole. The NICE team from NIST published something about just that when it comes to cybersecurity. Time to get ready to discuss it is everyone’s responsibility, not just a select few.

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

It Is Everyone’s Responsibility – Ep 259

The HIPAA Boot Camp

2020 COVID Session Dates

August 18, 19, 20

Online Version!!

For info go to

Registration Form

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

We want to take a moment to address the greater issues happening in the country right now. Our lengthy discussion on the topic would surprise many of you. We both have very different experiences and often different opinions. The important thing is we have conversations that are respectful and honest. There are many problems we are all facing right now with policing and racism in the middle of a pandemic. None of these are simple or will be solved quickly or easily.

What we do know is that until we learn to have conversations with other people and realize we all have experiences that frame the way we see the world. Take the time to sit down with someone even in your own family without the attitude of I am right and you are wrong.  Understand we are different and each of us deserve to be respected as human beings.

The podcast audio includes more of this discussion.

It Is Everyone’s Responsibility

Cybersecurity is Everyone’s Job from NICE, a subgroup of NIST created this great guidebook in 2018. I knew it would be a great one when I got to the first sentence of the first section:

We are the greatest vulnerability in any organization.Cybersecurity is Everyone's Job

Bam! Right there it is. We all need to understand it is on us, there is no real way to easily secure the human unless they agree to participate.  A few paragraphs later they lay it out with a bit more detail.

Contrary to the common misunderstanding that cyber threats are a technology problem looking for a technology solution, the data clearly and consistently shows that employees are the greatest vulnerability of any organization.Cybersecurity is Everyone's Job

Throughout the guide it breaks down the understanding of cybersecurity responsibilities based on job roles. No matter how you fit into the organization you fit into at least one if not more of these roles. There are some things that apply to all roles and some that are more specific and only apply to a few. The breakdown by role is something I feel is most important. It allows someone to skip to the part that matters to me. We have often mentioned the importance of all training being related to the individual and the job that they do.

From a training perspective we always believe that the what is as important as the why but not as important as the why me. Humans may tend to allow others to take responsibility for things they deem do not apply to them. The best way any of us get involved is when we believe something really does apply to me or it really does impact me in some way. Especially when we look at our ability to ignore things or remain uninformed about things that do not have a direct impact on our personal lives or needs.

…the largest “attack surface” of the organization is you and me—the people who perform common functions…
Before you think this guidebook may not apply to you just stop that thought right now. They make it very clear in the introduction there will be very few people that will not find a portion of this guide that applies to them.

This guidebook is intended for every kind of organization, from large government agencies and publicly-traded corporations to nonprofits and small, family-owned businesses, since all organizations must perform common, essential activities.Cybersecurity is Everyone's Job

If you are outside all of these areas you should probably still be aware but come-on, man, there is definitely something in here for everyone and it is written with that intent. No matter who you are or what you do the cybersecurity of your organization relies on you. You can be the last defense or the greatest weakness, which one do you prefer to be. The message is throughout the conversations that follow based on those roles and functions people perform in an organization. You can use the guide as one large manual or break out each section to be a stand alone guidebook for the role or categories of activities involved.

Here are the categories broken down for explanation:

The business functions are presented as seven categories:

  • Leadership, Planning, and Governance
  • Sales, Marketing, and Communications
  • Facilities, Physical Systems, and Operations
  • Finance and Administration
  • Human Resources
  • Legal and Compliance
  • Information Technology

There is an opening section before it dives into these categories that really should be read by every single person. At minimum make sure all the management and leadership throughout the organization review it. I would suggest you even consider making a specific meeting to discuss these concepts with the leaders of each area of the organization from the top down.

Opening on responsibility in the organization culture

Your organization’s culture is critical to establishing a successful cybersecurity posture. Its culture must emphasize, reinforce, and drive behavior toward security. A resilient workforce will not exist without a cybersecure culture.Cybersecurity is Everyone's Job

This simple one page hits on all the elements of a system that thinks about privacy and security by design. It is built into the decisions and through processes we follow every day for everything we do. It covers the need for a mindset, leadership, training, management, policies and reinforcement with technical safeguards. A perfect page for reading no matter what part you play in the big picture. It is everyone’s responsibility to protect the data and systems.

Categories cover responsibility by roles

Role in the organization
Leadership, Planning, and Governance
Setting overall direction, establishing priorities, maintaining influence, and mitigating risks
Sales, Marketing, and Communications
Raising awareness, communicating, generating

revenue, and interacting with customers

Facilities, Physical Systems, and Operations
Designing and delivering products and services, managing operations, and maintaining the physical environment
Finance and Administration
Providing planning, forecasting, accounting, transactional and administrative support to all functions within the organization
Human Resources
Planning, hiring, and supporting the development, retention, and compensation of the organization’s workforce
Legal and Compliance
Ensuring compliance with laws, regulations and standards, mitigating risk, and addressing legal matters

Each section reviews what the jobs require, what information they need to do it and how that makes them a risk to the security of the organization. There are little bullet sections and great examples speaking directly about what each role needs to have access to in order to be effective. That means you should also be aware of how that could impact the organization if you don’t take your responsibility seriously. It really provides some positive feedback training and guidance instead of the do this or else approach.

I encourage you to take the time to download the guide using one of the many links provided here and find the best way to share it within your organization. There is very little more that can be done until the practical concepts are implemented in an organization.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.