For the final myth in our series isn’t just about SSL – it’s about security. The prevailing attitude at organizations – no matter the size – is that the responsibility for security falls in the court of someone with a job title related to security, like application security specialist, cyber security guru or chief security officer, and so forth. As a result, the well-known SSL vulnerability announcements (and any security alert for that matter) are often overlooked and ignored by the development staff.
But in reality, when employees use SSL technology, as provided by their company’s VPN client vendor to remotely log in to use sensitive company resources, they should bear some responsibility for ensuring security. Yet, few of these employees ever realize that effective security should be everyone’s concern.
Of course, this mentality is not entirely the fault of employees. The companies themselves and their executive leadership are ultimately responsible for ensuring all personnel have adequate security training. Legal statutes and regulatory regimes in every industry require companies to create a culture of awareness and security knowledge through effective training programs. When organizations lack definitive security policies, this type of thinking is more pervasive.
But in today’s world, the stakes are far too high for a single department to shoulder the full responsibility for securing an organization. All employees, no matter where they sit in the organization, should have some degree of security training.