In some cases, the security team may have already informed them of their risk and they chose to ignore it because they don't want to do anything that may impact revenue, but in other cases the security team doesn't communicate with them in the first place so they are completely unaware that their POS system, for example, has a vulnerability.
Stolte said, "If I'm higher up and have the responsibility of making sure ecommerce is available, I need to understand the real risk of my being taken down by DDoS."
Embracing the role of a security newb regardless of your role in today's digital enterprise, will help to reduce the risk of an attack on the business. If everyone understands that security is a shared responsibility, they will better understand how they can be attacked as a person through phishing.
Stolte's analogy of the filing cabinet is a logical comparison that helps to make sense of the disconnect among key players who do not sit on the security team that need to be active participants in managing cyber risk.
"Line of business and application owners are the ones who have the keys to the file cabinet with the sensitive information. They are the ones who can flag if someone is going into the cabinet when they shouldn't be. The security team is merely the guy at the front desk of the building," Stolte said.
Once a person is inside, the security team can't tell if the person is accessing things they shouldn't be accessing without the context from the other key players.
Sign up for Computerworld eNewsletters.