Who Holds the Ultimate Responsibility for Cyber Security?
Understanding the Shared Responsibility in Safeguarding Your Organisation
When it comes to safeguarding organisations against cyber threats, a clear understanding of responsibilities is crucial. In this article, Resolution IT’s Information Security Director, James Kelsh, sheds light on the intricate web of accountabilities within the realm of cyber security.
Unveiling Common Misconceptions
Last month, we posed the question of who is ultimately accountable for cyber security to our LinkedIn followers. Unsurprisingly, a substantial number of responses pointed towards the company’s IT department. But I’m afraid it’s not that simple.
While the primary responsibility for cyber and information security rests with the board, in particular the Chief Information Security Officer, the ultimate accountability for any cyber and information security matters falls to the CEO.
Shifting from Responsibility to Accountability
Let’s distinguish between responsibility and accountability. In a corporate structure, the board is ultimately accountable to shareholders for risk management, including cyber security and privacy risks. However, this doesn’t entail that the board handles the operational aspects; other individuals within or outside the organisation take on those responsibilities. Nonetheless, the accountability rests with the board.
Instances of CEOs stepping down after security breaches serve as examples of the accountability at play. While the CEO is ultimately accountable for ensuring cyber and information security is embedded into the culture, the Chief Information Security Officer (CISO) collaborates with leadership to determine acceptable risk levels and is accountable to the board for creating and maintaining a comprehensive information security strategy.
In a broader sense, however, it’s essential to recognise that the secondary responsibility extends to every member of the business. This nuanced distribution of accountability underscores the collective effort required to mitigate risks effectively.
Navigating the Ambiguity
In many organisations, the lines of responsibility for cyber security remain blurred, leaving room for potential errors and vulnerabilities. Astonishingly, research from RMM reveals that only 38% of board members view the CEO as the ultimate authority in cyber security matters. This discrepancy highlights the need to treat cyber crime as a senior executive concern, with the CEO bearing the liability in the event of a data breach or cyber attack.
The Threat Within: A Team Approach to Cyber Security
Each end-user within your organisation presents a potential threat to sensitive data. A staggering 90% of cyber attacks are initiated through emails, often via phishing attempts, malicious links, or compromised attachments. A single click on a malicious email could jeopardise your data, underscoring the criticality of comprehensive and regular cyber awareness training for all staff members.
Despite the surge in cyber security incidents, numerous organisations remain entrenched in a ‘culture of accountability.’ To truly enhance security, businesses must address cyber security as a cultural issue. While the CISO and IT provider can equip you with the necessary tools and guidance for a robust security infrastructure, the onus lies on senior leadership and management to instil a sense of cyber hygiene across the team. Unfortunately, inadequate cyber awareness training and a lack of appreciation for their role in security often hamper the efforts of senior leaders themselves.
“Corporate governance specialists are increasingly concerned that senior management and board directors across the world are ill-prepared for potential data breaches and other technology problems” – Attracta Mooney and Jennifer Thompson, The Financial Times
A Complex Web of Accountability
In the aftermath of a cyber breach, the instinct to assign blame is natural. Was the IT provider diligent? Did an employee neglect data protection? Was the person responsible informed about the latest threats? In reality, cyber security is a multifaceted endeavour, with a variety of factors contributing to its success or failure. The interplay of various elements highlights that there’s no single entity to blame. This realisation is often belated, as many businesses only prioritise cyber security after experiencing a breach.
“The influx of ransomware and supply chain attacks seen throughout 2021 should be a wake-up call that security is a business issue and not just another problem for IT to solve.” – Paul Proctor, Vice President at Gartner.
Cultivating a Culture of Shared Responsibility
So, how can organisations foster a culture of shared responsibility for cyber security? The journey begins with three pivotal steps:
Sharing Cyber Security Decisions:
Your Chief Information Security Officer (vCISO) acts as a bridge between the technical realm and the board, facilitating discussions on cyber security models, investments, and training. This prepares the leadership team for their role in shared accountability.
Cyber Security Awareness Training:
Equipping your team with the ability to recognise the value of information and identify suspicious activities is paramount. A majority of breaches result from simple clicks on phishing emails. Through awareness training, employees become empowered guardians of both their data and the organisation’s.
Partnering with a Trustworthy Cyber Security Ally:
A reliable cyber and information security partner, whether a vCISO or consultant, should keep your organisation informed about evolving threats.
When it comes to cyber security, the answer isn’t confined to a single entity. It’s a collective effort that involves every member of the organisation. While primary responsibility falls on the CISO and leadership, shared accountability necessitates the involvement of all employees. Transitioning from a culture of mere responsibility to one of shared accountability demands open discussions, comprehensive training, and strategic partnerships. In an era where cyber attacks are rampant, the realisation that security is a business-wide concern is a pivotal step towards safeguarding an organisation’s digital integrity.
