My mother always says, “It takes a village” when preparing holiday dinners for our family — the cousins, the grandkids, everyone. Yet, once the food is gone and the laughter fades, she’s the one left cleaning up.
Implementing a holistic data security strategy reminds me of cleaning up after those holiday dinners — it’s a team effort often left to one person. Just like a game of basketball, you’ve got to make a pass to nearly every player to win. The responsibility of data security has to be a team sport.
In this blog, I’ll highlight how security leaders in the public sector can communicate the importance of keeping sensitive information secure to help create a culture of shared responsibility for data security across the organization.
How the landscape of data security has evolved
Traditionally, IT departments and security analysts have handled data security responsibilities. However, with the sheer number of adversaries targeting data and teams facing resource shortages, analysts are stretched thin and are solely focused on maintaining the perimeter.
With the rise of generative AI, rapid cloud expansion, emerging threats, and increased collaboration, data security must be everyone’s responsibility. Like cleaning up after a big holiday feast or scoring the winning basket, creating a strong data security posture truly takes teamwork.
Federal agencies have recognized the need to foster security, and recent publications such as the Federal Zero Trust Data Security Guide highlight how achieving effective data protection requires buy-in from multiple teams. The guidance itself is significant because it was developed by CDOs (Chief Data Officers), CISOs, Senior Agency Officials for Privacy, and representatives from over 30 Federal departments, agencies, bureaus, and entities, who often operate independently, causing discontinuity in strategies across Federal IT and cybersecurity.
While CISOs, CIOs, and Privacy Officers are the core leaders at the helm of a strong data security posture, they have to enable key players, including cybersecurity, infrastructure, and platform owners, privacy, legal, cloud, and more, to implement holistic data security across the entire organization.
Proof in the pilot
Government agencies will typically pilot a product as part of their market research process before moving it into their production environment. This allows for all stakeholders to align on the choice of software before a decision is made.
Since January 2022, CDOs have been tasked to meet requirements in memorandum M-22-09, which calls for the inventorying of sensitive data, automatic monitoring of sharing, logging, and more.
We’ve worked with CDOs aiming to meet these requirements through various pilot programs, and many do not reach full operational capability because they lack support from other groups across the organization. Knowledge sharing amongst all departments can create more successful pilots and foster a culture where all employees understand their role in protecting data.
Another example: Most privacy and legal departments we work with across the Federal Civilian space deal with a fun set of data called Controlled Unclassified Information (CUI). Many agencies, such as the Department of Energy, have their own set of rules for protecting CUI. Additionally, most of their labs and sites have CUI liaisons who usually fall within the privacy department.
In the case of a CUI discovery and protection pilot, privacy and legal teams should be responsible for defining the objectives early on, while the cyber and IT departments help them meet the mission. This separation of roles ensures efficiency, with legal teams setting the "what" and cyber teams determining the "how." Well-structured governance drives success in sensitive data protection pilots.
Organizations that foster a culture of collaboration are best positioned to protect mission-critical data against adversarial threats. True data security is a combination of compliance, forensics, UEBA, and remediation. Each piece ties into the others to lead to an outcome, versus checking a box.
How to encourage a shared responsibility of data security at your organization
So, what’s the best approach to ensure your entire organization prioritizes data security?
My first recommendation is that executive leadership lead by example. If they care, others will naturally care as well. Assigning data security champions for every department is another great way to ensure employees are held accountable for data handling related to their role.
Your data security best practices should be easy to follow and locate, and also be difficult for employees to bypass. The department champions can ensure their co-workers are following basic best practices, which include:
- Encourage proactive reporting of potential threats: Employees may be hesitant to report data security issues they uncover for fear of getting in trouble. Create an open-door policy where teams can flag potential risks, whether through anonymous reporting channels, security hotlines, or integrated reporting tools.
- Bring awareness to phishing: Social engineering tactics like phishing emails are a popular way threats try to gain access to environments, and they are becoming more sophisticated. Educate your organization on the signs of phishing to look out for. Creating simulations of phishing is also a great exercise to help employees know what to look out for.
- Enable MFA: Multifactor authentication (MFA) can reduce unauthorized access for threats, making it harder for them to get into your environment. It is strongly recommended that employees enable MFA wherever possible or that your IT teams make it mandatory.
- Highlight risks related to specific positions: Personalizing phishing tactics to a certain role is one of the reasons employees can have a hard time spotting them. For example, a marketing team member who gets an urgent text message from the CEO asking for money may want to act fast and help because they don’t interact daily, whereas an executive assistant would likely see that the sender's address or phone number is different. Showcase specific situations to your teams so they understand how it puts the entire organization at risk.
Discover more cybersecurity awareness tips on our blog.
We’re here to help.
Shifting security from an isolated department to a shared, organization-wide mission ensures long-term resilience and compliance. When employees understand that data protection is everyone’s responsibility, security becomes second nature, not an afterthought.
At Varonis, we protect data where it lives. Our platform is purpose-built to look deeply inside and around data, and then automate its protection using patented, battle-hardened machine learning and AI.
We help the country’s leading federal agencies minimize their attack surfaces, simplify compliance, defend against cyberattacks like insider threats and ransomware with automation, and prevent data spillage.
Ready to experience the Varonis difference? The best way to get started is with a free Data Risk Assessment. In less than 24 hours, you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation.
