Stop me if you’ve heard this before –
INFORMATION SECURITY IS NOT SOLELY THE RESPONSIBILITY OF THE IT DEPARTMENT.
Thanks, I had to get that off my chest. But it’s true. Information security affects everyone no matter what their station or position in an organization. And when it comes to a mature Information Security program, there are dozens of touch points across an organization.
Sure, IT and Business Unit Managers are part of the program but what about some of the others? When you think about it, Information Security regularly interacts with:
- Human Resources
- Legal/General Counsel
- Physical/Corporate Security
- Compliance Office
- Privacy Office
- Insurance
- Procurement/Purchasing
- Vendor Management
- Project Management Office
- Change Control Board
- QA
Why Each of These Departments Actually Matters to Security
It’s one thing to list the departments that interact with information security. It’s another to understand why each relationship matters — and what happens when it breaks down.
Human Resources sits at the intersection of security more than most people realize. Every new employee is a potential security risk — not because they’re malicious, but because they’re untrained, unvetted, and unfamiliar with your systems. Background checks, security awareness training during onboarding, access provisioning when someone joins, and access termination when someone leaves — all of these are HR-security touchpoints. Insider threat, one of the most damaging categories of security incident, is almost always an HR failure as much as a technical one.
Legal and General Counsel becomes critical the moment something goes wrong. Data breach notification requirements, regulatory obligations, contract language with vendors, liability questions — none of these can be handled by IT alone. Legal needs to be involved in your incident response plan before an incident happens, not during it.
Physical Security is frequently siloed from cybersecurity in ways that create real vulnerabilities. Tailgating into a secure facility, accessing an unlocked workstation, walking out with a hard drive — these are physical security failures that become cybersecurity incidents. The two functions need to operate as one integrated program, not as separate departments that occasionally talk.
Compliance and Privacy Offices own the regulatory landscape that shapes what your security program must do. HIPAA, PCI DSS, GDPR, state-level privacy laws — these aren’t IT problems. They’re organizational obligations. The compliance office sets the requirements. Security implements the controls. When these two teams aren’t aligned, organizations end up with compliance theater — policies that exist on paper but don’t reflect how the organization actually operates.
Procurement and Vendor Management control who gets access to your environment through the supply chain. A third-party vendor with weak security practices and access to your systems is one of the most common breach vectors in modern organizations. Every vendor relationship is a potential security exposure. Procurement teams that don’t require security assessments as part of their process are creating risk without realizing it.
End Users are simultaneously the most important and most overlooked part of the security program. Technology can block a lot. It can’t block a person who voluntarily hands over their credentials to a phishing email that looked convincing. Security awareness training, clear policies, and a culture where people feel comfortable reporting suspicious activity are all non-technical controls that have direct impact on your security posture.
What a Mature Security Program Looks Like Across an Organization
A mature information security program isn’t a technology stack. It’s a governance structure.
It starts with executive sponsorship — a CISO or equivalent who has the organizational authority to set policy, require compliance across departments, and escalate issues to leadership. Without that authority, security becomes optional. Departments opt out when controls are inconvenient. Risk decisions get made without security input. And when something goes wrong, everyone points at IT.
Below executive leadership, a mature program includes a security steering committee or equivalent — representatives from Legal, HR, Compliance, Finance, Operations, and IT who meet regularly to review risk, discuss policy, and make decisions as an organization rather than as individual silos.
At the operational level, every department has security responsibilities built into their normal workflows. HR runs security checks and terminates access. Procurement requires vendor risk assessments. Project managers include security review gates in their processes. Change control boards review security implications of system changes. Finance monitors for fraud and financial security risks.
This isn’t bureaucracy for its own sake. It’s the recognition that security risk lives everywhere in an organization — and the only way to manage it is to make security everyone’s job, with clear ownership and accountability at every level.
The organizations that get breached most consistently are the ones that treat security as an IT problem with an IT budget and an IT headcount. The organizations that build genuinely resilient security programs are the ones that treat it as a business function — owned by leadership, practiced by everyone, and resourced accordingly.
And last but not least, end users themselves. It does indeed take a village, but security is such a far-reaching function that, eventually, it touches anyone using a computer or industrial tool.
I take a little deeper look into the various interactions with each of these areas in a new discussion on my Teachable site – check it out while it’s on sale.