The security blame game: Who should be held accountable for a breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2013/10/18/security-blame-game-who-should-be-held-accountable-breach/

With the ever increasing threat of cybercrime knocking on one’s door, many
large organisations are reliant on IT security teams to protect their vast
network from attack. As many Chief Information Security Officers (CISOs)
will attest, the larger the network, the more complicated the job.
According to Gartner more than 95 per cent of firewall breaches will be
caused by firewall misconfiguration, not firewall flaws.

Within large organisations there is the possibility of having potentially
hundreds of firewalls, network switches and routers from numerous vendors
with unpatched systems and various other network vulnerabilities, all of
which can provide a route in for attackers. Misconfiguration of firewall
rules and policies can pose a serious security threat, and constant
diligence in patching firewalls, monitoring configuration and assessing the
rule base is required to maintain security.

But what happens when a breach has occurred? Can an individual be held
accountable, or is it fair to put the responsibility entirely on to your
security team?

Who is accountable if the board doesn’t listen?

There is a wealth of information from every vendor offering opinion on the
safest way to keep your organisation protected, yet very little is said
about who should ultimately be held accountable should a data breach occur.
Boardrooms and CEOs rely on CISOs and security teams for advice and
guidance on security, and crucially have the control of budgets. Problems
arise when security teams are held accountable for breaches, even if they
have already highlighted the issue to the board, who subsequently decided
not to take action on the advice.

In the eyes of the public, when a data breach occurs it is often the
boardroom who must take overall responsibility, but other than the obvious
financial losses and reputational damage, there is often very little
individual internal accountability. Board members can improve internal
accountability by requiring the business unit or mid-level managers to be
directly responsible for projects which would require sign off on the
security of new technology and systems they wish to introduce. This in turn
means that the business unit must work with the security teams to actively
identify risks within existing and new projects.

Ultimately this puts the security teams into an advisory role that would
work alongside the business unit to report on the risks of current
projects. It would require them to provide the visibility in to the impact
that proposed changes to a network would have on the organisation’s overall
security posture.

Blame is not the name of the game

Addressing the issue of internal accountability isn’t about apportioning
blame to specific people or teams, but to highlight the need for one group
to take ownership of security. Being directly responsible for security
would make project managers more diligent about security concerns, and in
the event of a breach, the entire organisation would be able to say that
all the necessary steps were taken to reduce the risk of a cyber-attack.

By defining the roles and responsibilities within an organisation relating
to accountability, security and project management teams can work together
more effectively, allowing the organisations to function better, and
improve the overall efficiency of security. By putting security teams in an
advisory role, and removing the threat of them being held accountable for
breaches allows them to provide unbiased, and subsequently, better risk
management advice which will increase the overall security posture of the
organisation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.