If you spend more than about thirty seconds in the security echo chamber you will hear someone state the oft echoed “security is everyone’s job”. If you spend another sixty seconds you will find someone saying “no, security is the responsibility of the security team.” As is frequently the case in dichotomies, both parties are wrong.
Security is everyone’s job in the same sense that accounting is everyone’s job. We all do our expense reports but, at the end of the day accounting makes sure everything is done correctly. In the same sense, there are some areas of security that everyone has to help and other areas where the professionals must do the work.
The security group should make every effort to stop phishing emails being delivered to end users. An end user that receives an email attempting to steal money from the company should certainly report that email when it makes it through the mail filters. If both act accordingly neither has to be perfect every time. It is only when both sides fail that there is a problem, which leads into defense in depth which is another topic.
Similarly, there is a point of incompetence for both the end user and for IT security and both need to be addressed. I have seen phishing simulations where end users clicked on a link in an email that had a two word body of “Click here.” In a situation like that, users need training but when they fall for the same thing time after time it may require corrective action. Similarly, I have seen a professional services company “migrate” between firewalls and create inbound any/any rules that never existed before. I’ll give you that mistakes happen but, as professionals, we should hold ourselves to higher standards and there should be repercussions for incompetence. In short, everyone fails eventually and the end user can help sometimes but not every time. Everyone doing their part to create defense in depth helps.
What I am trying to point out here is that there are areas that IT cannot stop with technical means. Phishing emails are going to get through. Maybe, we can mitigate some of the adverse conditions but, if the end user clicks every link that is presented one days something bad is going to land. On the other side there are areas that the end user cannot control and should not be expected to even consider. The firewall is a good example here.
There are too many smart people repeating false dichotomies about the responsibility of IT vs. end users when it comes to security. In a sense security is everyone’s job because we can’t do it without every user being vigilant but at the end of the day IT and IT security has to do the heavy lifting, including training the users who we expect to assist us in securing the environment.
Who is responsible for security? Everyone but, with the understanding that IT Security must provide the tools (training) to allow that and even then IT security will need to pick up most of the heavy lifting because everyone else has their own primary responsibility to consider like making sure my reimbursements happen in a timely manner.