The Myth of “Not My Job”

The strange thing about security rhetoric is how quickly it slides into fantasy. A few LinkedIn posts, a handful of panel quotes, and suddenly we're entertaining the idea that security is not everyone's problem, that it belongs to the blessed few sitting somewhere between IT, compliance, and a metaphorical fucking fire exit. It's a seductive notion. It promises that someone else will worry about the unpleasant bits while we carry on as usual, heads down, fingers hovering over suspicious links that won't come back to bite us. Unfortunately for all of us, this is nonsense of the highest order, and believing it is a luxury we can't afford.

Because the reality is prouder, messier, and far more human. Every organisation is a tight weave of tiny decisions made by actual people with actual habits, and those people don't stop being themselves the moment they badge into the building. If they overshare online, they'll overshare in a meeting. If they reuse passwords at home, they'll reuse them everywhere. If they're willing to click "allow" on a dubious app for a thirty percent discount, they'll do the same when the fake DocuSign rolls in on a Tuesday morning. Security isn't a job title. It's a mindset shaped by the same impulses that govern everything from how we shop to how we flirt. Pretending otherwise isn't liberating. It's negligent.

The "not my job" argument collapses even faster when you consider how connected we are. Eight hours a day glued to a device, twenty-four hours a day connected to a digital identity, and somehow we're meant to believe security lives exclusively inside the walls of one department. As if the security team is meant to protect your bank account, your private messages, your birthday selfies, your dating profile, your e-commerce trail, and the years of personal data you've scattered across the internet. If that's the expectation, then we might as well hand them the house keys and ask them to lock up at night.

Is security just the job of the security team? I think the fuck not.

Encouraging people to take responsibility for their own security isn't some corporate morality play. It's basic survival. You wouldn't watch a friend get their account drained, their socials nuked, or their private photos leaked and shrug it off as "unfortunate but really a job for IT". You'd tell them to get serious about MFA, password hygiene, and the trail of crumbs they're leaving online. The kindness of modern security is empowerment, not babysitting. The worst myth we can endorse is that responsibility is burdensome. In truth, it's the only thing that stops ordinary people from becoming collateral damage in attacks they never saw coming.

This is why proper security awareness maters more than any flashier technical initiative. When people start thinking about security in their personal world, the mindset transfers clearly to the professional one. Once you're used to enabling MFA on new accounts, you don't ignore it on corporate ones. If you're careful about oversharing online, you're careful about what you reveal in the office. If you have the instinct to report phishing as a gut reaction, you bring that instinct to work with you. Security becomes a reflex rather than a chore, and that does more to reduce organisational risk that any isolated team can alone.

The security team's job is vast but not mystical. They handle the architecture. They configure LAPS, deploy segmentation, and keep the critical machinery humming away in the background. They build the stage on which safe behaviour can actually matter. But they can't stand watch over every click, every conversation, tailgate, or rogue USB. Expecting them to do so is like blaming the fire brigade because you left a candle unattended in a room full of paper. Their role is vital, but it isn't omnipresent. It isn't meant to be.

We believe this so deeply that our most popular escape room, The Heist, is built around the very premise personal security sceptics love to ignore. There's no boardroom breach or shadowy corporate hack. Instead, you play the attacker who stumbles across a backpack on a train and uses the owner's personal information to wreak havoc. Social posts, messages, digital footprints, sloppy password practices. Nothing corporate. Everything personal. And it's terrifying how quickly it snowballs. The players end up thinking like threat actors, following OSINT trails, stitching together clues the victim left scattered across the internet. The game lands because it's recognisable. Humans are endlessly inventive, and unfortunately, so are their mistakes.

That's the truth at the heart of this debate. Personal security isn't a soft optional extra, and it isn't something we can outsource. It's the foundation that every security-aware organisation is built on, whether the individuals inside it realise it or not. If you want a safer organisation, you need safer people. And safer people aren't created by shielding them from responsibility. They're created by giving them the tools, the confidence, the occasionally the fright they need to take ownership of their digital lives.

Security isn't everyone's job because we're trying to lighten the security team's workload. It's everyone's job because the world is engineered that way now. Pretending otherwise is an indulgence that attackers are more than happy to exploit.