Data Security: Whose Responsibility is it?

By H. E. James, MBA Who is an organisation’s data security gatekeeper? Who is ultimately responsible for ensuring that the data produced by an organisation is secure? In...

By H. E. James, MBA

Who is an organisation’s data security gatekeeper? Who is ultimately responsible for ensuring that the data produced by an organisation is secure? In today’s complex business world, this is not a simple answer.

In an era rampant with people fobbing responsibilities off on each other, it can sometimes feel as if no one is truly culpable. The other edge of this double-edged sword is having too many hands in the biscuit tin. So to whom does the ultimate responsibility of data protection belong?


When an organisation contracts with a vendor to provide cloud services or data storage, security responsibility may indeed fall to the vendor. On the other hand, if data storage is on-site, the provider of that storage is the information technology department accountable for the care of that technology. While IT may indeed be part of an organisation’s structure, it is ultimately an in-house provider of data security.

Outsourced providers are also bound, by contract, to secure an organisation’s data. The contract makes a security vendor’s responsibility not only ethical but legal. Vendors seek out opportunities to secure data. It is part of the business model, not just a by-product of it. Thus, vendors put the onus of their contracting organisations’ security on themselves.


With vendors in control of much of an organisation’s security, does responsibility not then fall to the organisation’s management? In the presentation Data Security from the Collat School of Business, accountability for an organisation’s data security is given squarely to those running the firm:

“Being sure that your vendors are up to date on their security.  Almost, if not, maybe more important than your own company’s security because in this day and age, you know everything is outsourced . . . they have your data.”

It is as imperative for management to keep a watchful eye on those who are keeping data secure as it is for vendors to secure data. While this may be a case of the watcher being watched, management should require regular updates and checks from vendors if they are used.

If IT is in charge of the operations of data security, it is up to management to require the same of its internal security providers. Human Resources and Legal departments are then integral to this process, as they create the handbooks and rules by which employees are governed.


Just two years ago, nearly a quarter of employees surveyed by an American security management firm stated that data security was not their responsibility. Yet in today’s world of Bring Your Own Device (BYOD), is it not ultimately the employee who is the data gatekeeper?

With employees being trained to take care of their own data, responsibility and liability are spread among the masses of the entire organisation. At the same time, if a data breach is tracked to a specific employee, the entire IT department will not be burdened with the consequences.

All of the Above?

An organisation’s data will never be truly secure. It is impossible. However, for it to be at its most secure, all parties involved in creating, collecting, and managing data must take responsibility for ensuring its security.

Vendors must have the right tools and be cognizant of their own security. Organisations must create contracts with vendors that stipulate updates are made and thorough reports are given regularly. Management must create rules and policies that help employees protect their own data, especially that which they create.

It is everyone’s responsibility in the end.

In this article

Join the Conversation