Data breach responsibility lies with C-Suite security roles
5 May 2015 | 0
Four out of 10 security professionals believe that data breaches would land at the door of chief information security officers (CISO), chief information officers (CIO) and chief security officers (CSO) rather than CEOs, according to an impromptu survey of attendees at the recent US RSA Conference.
According to security firm Tripwire, 41% of the 250 security professionals were of this opinion when asked who would be held responsible for data breaches, with a slightly lower 35% believing this job title should be held responsible.
As for the CEO, only 18% believed this job role would be handed the blame with a further 10% suggesting the entire board would be on the block.
“Cyber security liability is difficult to assign because you have to determine who knew about the risks, and then you have to figure out what they did, or did not do about them,” said Tripwire senior security analyst, Ken Westin.
“If the CEO is made aware that of security risks and does not provide the resources or plans to fix them, they own some of the responsibility.
“On the other hand, if the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of the responsibility falls on him/her,” he said.
The recent evidence from US firms is that the consequences for board members depend on the seriousness of the breach. Big breaches, for example last year’s Target breach, seem to result in resignations of both CIO-level board members but also CEOs. On that occasion both CEO Glenn Steinhafel and CIO Beth M Jacob resigned. Nobody escapes blame.
In the case of Sony, it was chairwoman Amy Pascal that ended up losing her job but that was more about the embarrassing nature of her emails than as a result of the breach itself.
John E Dunn, IDG News Service