As the data breach epidemic rages on, the question of corporate liability has been front and center. It turns out that many security-industry folks believe that C-level technology executives would and should be the ones held responsible for compromises, new research has revealed.
According to a survey by Tripwire of 250 attendees at RSA Conference USA 2015 and BSidesSF 2015 in San Francisco last week, technology leaders within firms are the ones who should be on the hook for security, in spite of pervasive vulnerabilities being present on many fronts that are leading to devastating cyber-attacks across a broad range of industries.
When asked, “Who would be held responsible in the wake of a data breach on critical infrastructure in your organization,” 41% of survey respondents said “CIO, CISO or CSO.”
When asked, “Who should be held responsible in the wake of a data breach on critical infrastructure in your organization,” 35% said “CIO, CISO or CSO.”
Only 18% of respondents believe the CEO would be held responsible, and only 10% believe the company board would be held responsible. Of course, in Target’s case, that’s exactly who was held responsible, to the point of resignation.
“Cyber security liability is difficult to assign because you have to determine who knew about the risks, and then you have to figure out what they did, or did not do about them,” said Ken Westin, senior security analyst for Tripwire. “If the CEO is made aware of security risks and does not provide the resources or plans to fix them, they own some of the responsibility.”
On the other hand, a large part of this boils down to cross-department communication. If the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of the responsibility falls on her, Westin added.
“Cyber security is a team sport that requires active support across the organization and from all levels of the executive team,” he said.