Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Reader I

Request For Comment: "Cybersecurity is Everyone's Job"

NICE Working Group

The Workforce Management Sub-Group has prepared a draft of "The Resilient

Workforce: Cybersecurity is Everyone's Job," and we are requesting your



This guidebook provides things to know, and things to do, for everyone in an

organization, regardless of type or size (publicly-traded corporation,

government agency, non-profit, small business, etc.), with guidelines

organized by essential business function, in order to engage the entire

workforce in securing the enterprise. It is intended for the general

audience, which may not otherwise be knowledgeable about, or interested in,

cybersecurity, but may be receptive to tips on what they can and should do.

It is therefore designed as an entry-point into the topic, and can be read

as a complete guide, or by each business function as standalone guides.


As you read this, the Co-Chairs and Co-Editors ask that you consider the

following questions:


*             Does this guidebook effectively address the objectives outlined in

the Introduction?

*             What would make it more impactful and useful?

*             Have we achieved the right balance between breadth (broad enough to

be easily accessible and applicable) and depth (specific enough to be


*             In the first section of each business function, does the paragraph

"You likely spend more of your time"... add value, or should it be


*             What additional job titles/roles are needed for each business


*             Should common tasks identified in the "What you need to do" section

of each business function be consolidated into Appendix 3: What Everyone

Should Do, or kept in each business function in order to provide a

stand-alone "tear sheet" for each function?

*             Is there a better description for the business function "Facilities

and Operations" so that internal operations, customer-facing product/service

delivery, and physical systems are all included?

*             Should additional content be added to address supply

chain/third-party risk? If so, how?

*             Should additional content be added to address knowledge management

and data governance? If so, how?

*             What other references should be included in Appendix 4: Where to

Learn More?


The document, and an online survey for feedback, is hosted on its webpage:



kforce-management-sub-working-group/workforce> .


Thank you!

5 Replies
Newcomer II

With just a quick glance that looks like a very good starting point for a solid cyber stance for organisations. And yes, supply chain / third-party risk should definitely be mentioned strongly - procurement processes need to taking into account external risks to the business and ensuring that those engaged are also taking cyber-hygiene seriously.

Defender I

;This note is not a comment on the new NICE document; I will look at that draft later to decide if I have meaningful comments to submit to NIST.
For now, these are thoughts on the general statement, “Cybersecurity is everyone’s job.”


Such a claim is logically equivalent to declaring any of the following:

* Occupational safety is everyone’s job.
* Workplace sanitation is everyone’s job.
* Workforce diversity is everyone’s job.
* Business development is everyone’s job.


While most of the workforce should know all of these business needs are organizational goals, we don’t, or at least should not, try to divert attention away from primary job focus to a long laundry list of “stuff someone needs to take care of.” Can you imagine the level of quality performance if a department manager stopped to empty every full trash can she passes in the building? How about the head accountant scrubbing all the sinks in the restroom before returning to the office? Should the IT Director of an insurance company take time to meet with the executives of a customer corporation considering changes to their employee life insurance program?


The U.S. Army recently acknowledged the impact of so-called “ancillary training” that had become so heavy that soldiers have not been able to build and maintain high capability in primary jobs, like, you know, infantry combat. For discussions on the Army action and reasons for it, see
Army Cuts Some Mandatory Training and Other 'Burdensome' Requirements
The Army just dumped a bunch of mandatory training to free up soldiers’ time


Good news, soldiers: The Army has slashed even more mandatory training requirements


For my own discussion on the mistaken idea that, “Cybersecurity is everyone’s job,” see my 25 minute presentation at INFOSEC World 2016,

Why Won’t They Follow the Rules? Maybe It’s the Boss’s Fault!


D. Cragin Shelton, DSc
My Blog
My LinkeDin Profile
My Community Posts
Community Champion

I owned my own IT consulting company in the DMV (District, Virginia, Maryland) region for many years.  Did a lot of laps around the beltway. If this document was intended to reach those small to medium sized businesses that I served, it won't easily.  I chose my target customer by who they employed-roughly those companies that employ 80% of the American workforce, had vertical markets that interested me or needed services that I offered.  Most of those companies are lucky to be maintaining their payrolls, rent for their facilities and set aside a small amount of money for lean times. They could barely afford my reasonable rates for IT services when I was performing them.  Now I provide PKI and CAP consulting to Federal Agencies.

This document takes on the personality of the large group of heavy hitters that wrote it.  It uses vernacular and industry buzz words that Jane Doe, Operations Manager of Beltway Printing company is not going to understand.  If she has an IT consulting firm that is somewhat knowledgeable about Cybersecurity they may have some idea on what to do but there is no guarantee of that.


I'm not sure how this document would ultimately reach the target audience.  No one is going to be bored at work and say to themselves "I think I'll hop onto the NIST website and read their publications".  


I think the target should be the IT consulting firms, the BBB, and any other organization that supports small to medium size business (non-profits).  

Influencer II

Just as a note on your title: I used to start the topic of personnel management and security awareness with the note that we frequently cite "Security is Everyone's job," along with the truism that "Everyone's job is Nobody's job ..."


Other posts:

This message may or may not be governed by the terms of or
Influencer II

I've included some comments on the NICE document in the discussion under "Should everyone become security professionals?"


Other posts:

This message may or may not be governed by the terms of or