Within the framework of NIST 800-12 Rev.1, there is a clear delineation of roles and responsibilities that make it clear that cybersecurity is no longer just a technical function, but rather an organizational priority. One of the roles within the cybersecurity team is that of a system owner. The system owner is clearly identified as a manager or senior staff member responsible for an information system in the organization. They may not be a technical expert, but they are accountable for ensuring the information system is managed and operated securely according to the organization’s policy and federal requirements.

The system owner is part of the team because every information system comes with its own unique set of risks. The IT staff may implement technical defenses; however, the system owner ensures the information system is provided with an appropriate set of resources and documentation, as well as oversight to ensure security requirements are satisfied. The system owner is the individual who approves user access to the system, assists in the coordination of security controls, and ensures the organization regularly assesses the risk of the information system. In this way, they serve as the conduit between management and technical staff.

This position is important because cybersecurity cannot and will not be effective solely through the IT department. It requires the business to support, and system owners will provide enough responsibility directly to them. System owners are aware of the system’s purpose as well as the value of the system for their function, which allows them to provide the appropriate balance between operational needs and security needs. Without system owners assuming responsibility, many of our systems, regardless of their size, would remain devoid of the leadership required for continued compliance and resilience.