Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Disruptive By Design: The Lie We Tell Ourselves About Cybersecurity Ownership

A cybersecurity and compliance professional, Stephanie Kincaid is a manager, Consulting Services, at Redspin, with more than 10 years of experience supporting the military, specializing in risk management framework activities and industrial control system and SCADA assessments for agency authority to operate standings.
By Stephanie Kincaid
Cybersecurity and CMMC are enterprise disciplines. Credit: abu-stock.adobe.com generated with AI
Cybersecurity and CMMC are enterprise disciplines. Credit: abu-stock.adobe.com generated with AI

Organizations instinctively assign complete cybersecurity ownership to information technology (IT). Multifactor authentication, phishing drills, security awareness training and virtual private networks are all visible markers of a “serious” program, and they all live within the IT function. Frameworks like NIST SP 800-171, developed to safeguard sensitive defense information across the defense industrial base, reinforce that perception. Many of the required controls are technical in nature and are implemented by IT teams. It’s no surprise, then, that organizations assume cybersecurity belongs there.

But that instinct has created a structural blind spot.

Even within the access control family of NIST 800-171, typically considered highly technical, some requirements have little to do with configuring systems and everything to do with how an organization behaves. One example is the requirement to control information posted on publicly accessible systems. 

On paper, “publicly accessible systems” sounds like an IT responsibility. In practice, it rarely is. Most organizations rely on their marketing, Human Resources (HR) and recruiting teams, and sometimes third-party contractors, to manage websites, social media platforms, job postings and public announcements. These teams routinely publish contract awards, employment opportunities and program details. Within the defense ecosystem, those announcements can signal capabilities, mission support activities or emerging technologies directly tied to national security efforts. It is not unreasonable to fear that Federal Contract Information (FCI) or even Controlled Unclassified Information (CUI) could easily be included in one of these announcements. IT usually plays only a small role in monitoring or interacting with these systems or platforms. 

From a Cybersecurity Maturity Model Certification (CMMC) assessor’s perspective, the requirement itself is straightforward: organizations must ensure that sensitive information is not placed on public-facing systems, but if so, they must have a process to identify and remove it. That demands more than technical controls. It requires a review process. It requires clearly designated points of contact. It requires personnel trained to recognize FCI and CUI before they post content, not after.

This is where the broader issue becomes clear.

While every department can influence cybersecurity risk, those most engaged with the public (marketing and HR in particular) are more likely to face scenarios that could impact the organization’s security posture. They may inadvertently post sensitive information, especially if they have not received CUI training, because they are not considered technical CUI users. Contracts and purchasing teams also face risk when interacting with competitors or vendors who may have vested interests in gaining inside information to advance a sale or contractual opportunity.

 

 

 

 

 

 

When cybersecurity is treated as an IT function, these realities remain disconnected from the program. In an environment where foreign adversaries actively harvest open-source intelligence, those disconnects are not theoretical; they are exploitable.

The gap becomes evident during assessments. After deep dives into technical access control configurations, assessors often reach this requirement, and the room goes silent. The departments responsible for public-facing content are not present. The processes are unclear.

Security has been siloed within IT, and the rest of the organization was never fully integrated. In contrast, organizations that bake security into their culture have already identified responsible points of contact and prepared them to engage. This is often seen in organizations that invested early in effective cybersecurity strategies and partner with reputable consulting support, ultimately approaching compliance as a business-wide effort.

Within the defense industrial base, leadership’s investment in cybersecurity directly impacts not only compliance outcomes but also the protection of controlled defense information that supports warfighter missions. The way they invest time and resources into cybersecurity sets the tone for shared responsibility, influencing whether the organization views security as a collective effort or solely an IT concern.

Real maturity in cybersecurity requires leadership to rethink ownership by fostering cross-departmental involvement, investing in training and promoting a shared understanding of CUI and NIST SP 800-171 across all teams.

Cybersecurity and CMMC are not technology initiatives; they are enterprise disciplines. For organizations supporting the Department of Defense, protecting controlled defense information is not merely a regulatory requirement; it is a mission imperative. Your greatest vulnerability is not the firewall but human behavior inside an organization that believes security belongs to someone else.

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content