According to the 2022 Verizon Data Breach Investigations Report, 82 percent of data breaches had some human element, such as phishing, misused credentials, or other human error. We often hear that “security is everyone’s responsibility.” While each person has a part to play in their organization’s security, there must also be accountability for the overall results of the organization’s security program and culture. So in the event of a security incident or data breach, where does the buck stop?
There will always be risks, and there’s always something you could have done differently to mitigate those risks or prevent an incident from happening because of those risks. The person that takes accountability is the one that says, “I recognize we could have done these things, and we didn’t.”
Overall accountability for security should rest at board level, with the company CEO or top leader in the company. While it’s the role of the CISO, vCISO, or internal security guru to advise on risk and implement the security strategies approved by leadership, accountability lies with those that make the ultimate business decisions. The company leader can delegate almost everything except for accountability.
Too often, the CISO or security advisor is used as a scapegoat in the event of a major hack or data breach. Whether it’s an internal or external advisor, the individual in the lead security role is ultimately one of an advisor. Their job is to measure risk and communicate it clearly and effectively to leadership, who is ultimately accountable.
When leadership is armed with the advice of the person in the security role, they have the authority to make decisions on which security strategies will be implemented based on time, budget, and personnel. Leadership should be involved with all major decisions that impact a company’s people, processes, and technology. If a CISO or member of the security team were held entirely accountable for cybersecurity risk, they may choose to implement every effort to mitigate as much cybersecurity risk as possible. And while that sounds great, prioritizing cybersecurity above all other business needs could have major impacts on other critical business objectives, including finances or productivity levels. Business leaders that see the entire picture can weigh the competing interests, take risk into account, and prioritize those interests to make ultimate decisions—even if that decision is to take on security risk in favor of low cost.
A CISO is ultimately responsible for the confidentiality, integrity, and availability of a company’s information assets, including data and systems. The CISO has a seat at the table for all critical projects to advise on potential risks to the people, processes, and technology of the organization.
As a risk advisor, the CISO must be a business enabler. This means understanding how security risks impact overall business objectives and communicating those risks clearly and effectively to non-technical stakeholders.
Companies that are not yet at the point of hiring a full-time CISO may choose to hire a virtual CISO (vCISO). Utilizing a vCISO allows your business to use their services as you need, making their time flexible and scalable on short notice, while reducing the costs associated with headcount. A vCISO can also offer an independent perspective, which not only reduces potential conflicts of interest, but also provides a unique viewpoint from outside your organization.
Leadership can delegate the following responsibilities to a CISO or vCISO:
For an in-depth explanation of the responsibilities of a CISO, check out BARR’s State of the CISO whitepaper.
If you have confidence in your product and your business, ensure you also invest in security. If you don’t know where to begin, hiring a professional to serve as a sounding board is the place to start.
Have questions about security accountability or interested in learning more about how a vCISO can help your organization? Contact us today.