Originally published June 19, 2016. Reissued May 15, 2026.
2026 Preface
In June 2016, I argued that information security was not a department, but a responsibility shared across an organization. The original post was a response to a recurring conversation I was having with executives who genuinely believed that hiring a CISO and standing up an InfoSec team was the answer to their cyber risk problem. It wasn’t, then.
A decade later, I am having the same conversation about AI governance. Organizations are deploying AI across customer-facing decisions, internal workflows, agentic tools, and content generation, and treating governance as a department-level responsibility — usually pushed onto IT, sometimes onto Risk, often onto whoever raised the question first. Same failure mode. Same trajectory.
Read the piece below in two voices. Read it as the cybersecurity argument it was in 2016. Then re-read it substituting “AI governance” for “information security” throughout. The argument holds in both readings. That is the point.
Information Security — That’s a Department, Right? (2016)
In my previous posts, I have highlighted the need for a holistic approach to information technology, and information security. The people part of the people, process, and technology is one of the most overlooked parts of information technology, especially when it comes to information security.
Most organizations, and individuals, approach information technology with huge emphasis on the technology aspect where the latest gadget will solve all problems. Considering that technology is at best one third of the equation in people, process, and technology, that leaves two thirds of the solution without proper support or investment. Granted, the technology piece is the easy part because anyone can go and purchase the latest gadget, but people and processes are the parts that map the gadget to a business need and makes the gadget actually work to fulfill that need.
In most organizations, the question about information security management is usually met with the statement that they have a department — IT security, Information Security, Office of the CISO, or something similar — that deals with information security. The problem with this approach is, as discussed above, that it leaves out at least two thirds of the solution: people and process.
Security is the responsibility of everyone in the organization, and the organization’s defenses are only as strong as the weakest link. In my experience, most people do not want to be the weakest link in the organization. However, they lack the awareness and training. It is the responsibility of the organization to train its employees to perform the duties of any given role, and that includes every employee’s role in the defense of the organization. Only after each employee has the appropriate training can they participate in defending the organization.
There are a number of horror stories on how organizations react to their failures of educating employees. One of the more recent stories I heard was how an executive had been brought in to turn around a department, and after the first six months, this executive had done a fantastic job. Everyone loved this executive and the initial results of the turnaround. Then this executive was the target of a spear phishing campaign, and without any training, fell victim to the campaign. As a result, the organization proceeded to fire this executive after the compromise.
This is the absolutely wrong thing to do. In addition to a failure to learn from an organizational training and awareness failure, it is also incredibly demoralizing for the organization overall. As stated previously, it is the organization’s responsibility to educate, train, and develop its employees, and when the organization fails, it cannot hold its employees responsible.
So, if your organization has not provided you with information security training or awareness, reach out to your manager and ask. Make every attempt to educate yourself so that next time someone asks you about information security, your answer is not that there may be a department handling that — you know that you are a critical link in the chain of defense for the organization.
2026 Closing
Ten years on, the people-process-technology model still holds. The substitution test in the preface — replacing “information security” with “AI governance” — is not a trick. It is a confession that organizations re-learn the same lesson every time the underlying technology shifts. We learned it for IT in the 1990s. We learned it for cybersecurity through the 2010s. We are learning it for AI now.
The fix is the same in 2026 as it was in 2016. Education, not blame. Organizational responsibility, not department-level deflection. People-process-technology, in that order, with technology as the smallest term.
If your organization has stood up an “AI Office” or appointed an “AI Lead” and called the governance question answered, you have the architecture from 2016 that did not work then either. The work is bigger than the title.
After 25 years in cybersecurity, the pattern is unmistakable. The organizations that distribute responsibility win. The ones that delegate it to a department spend a decade undoing the choice.