Re: The security blame game: Who should be held accountablefor a breach?

["Al Mac Wow" <macwheel99 () wowway com>]

Thanks for all the wonderful info, but this is a bogus article.

 

Boardrooms and CEOs do NOT rely on IT to provide security.  High levels of
corporate management provide IT with a budget which is often inadequate to
do the job properly, and can take sides with different portions of the
company when there is a difference of opinion between security guidelines
and other corporate goals.  

 

An important job for the corporate leaders is to maximize profits and
minimize costs.  They often look upon accounting and IT as expenses they
would love to get rid of, not seeing the benefits to the company by having
such departments.

 

I could tell you tons of anecdotes about the difference between the article
and reality, but this stuff is confidential.  The IT workers get paid by the
company to do the job, which often has to be inadequate due to mandates
imposed upon the people who do the security work.

 

The bottom line is that the top of a company tells the bottom of a company
what to do, not the other way around.  The IT workers do not have whistle
blower protection, nor a legal framework like a certified accountant.
Responsibility for anything going wrong should land with the people who give
the orders, not the people who struggle to obey them.

 

As an IT worker, I have been given many government forms to figure out how
to fill out, which included identifying who filled them out.  Once upon a
time I got a call from a government official asking me follow-up questions,
which included asking me what my job title was.  Then he said the form needs
to be filled out by the CFO.  I said No Sorry, the CFO gave it to me to fill
out.  He is my boss.  He tells me what to do, not you, and furthermore,
nowhere on the form or its instructions did it say who is to fill it out.
We could have given it to the janitor, and asked him to fill it out, but I
did the best job I could that was asked of me by my boss.  He then asked to
speak to the CFO.  I declined.  I told him that my boss had previously told
me not to forward any calls to him, because he is getting more calls than he
can handle.  I am not going to defy my bosses orders at your request.  You
need to initiate a new call, and specifically ask for him.

 

Al Mac = Alister William Macintyre.

  _____  

From: dataloss-bounces () datalossdb org
[mailto:dataloss-bounces () datalossdb org] On Behalf Of Audrey McNeil
Sent: Wednesday, October 23, 2013 2:02 AM
To: dataloss () datalossdb org
Subject: [Dataloss] The security blame game: Who should be held
accountablefor a breach?

 

http://www.itproportal.com/2013/10/18/security-blame-game-who-should-be-held
-accountable-breach/

With the ever increasing threat of cybercrime knocking on one's door, many
large organisations are reliant on IT security teams to protect their vast
network from attack. As many Chief Information Security Officers (CISOs)
will attest, the larger the network, the more complicated the job. According
to Gartner more than 95 per cent of firewall breaches will be caused by
firewall misconfiguration, not firewall flaws.

Within large organisations there is the possibility of having potentially
hundreds of firewalls, network switches and routers from numerous vendors
with unpatched systems and various other network vulnerabilities, all of
which can provide a route in for attackers. Misconfiguration of firewall
rules and policies can pose a serious security threat, and constant
diligence in patching firewalls, monitoring configuration and assessing the
rule base is required to maintain security.

But what happens when a breach has occurred? Can an individual be held
accountable, or is it fair to put the responsibility entirely on to your
security team?

Who is accountable if the board doesn't listen?

There is a wealth of information from every vendor offering opinion on the
safest way to keep your organisation protected, yet very little is said
about who should ultimately be held accountable should a data breach occur.
Boardrooms and CEOs rely on CISOs and security teams for advice and guidance
on security, and crucially have the control of budgets. Problems arise when
security teams are held accountable for breaches, even if they have already
highlighted the issue to the board, who subsequently decided not to take
action on the advice.

In the eyes of the public, when a data breach occurs it is often the
boardroom who must take overall responsibility, but other than the obvious
financial losses and reputational damage, there is often very little
individual internal accountability. Board members can improve internal
accountability by requiring the business unit or mid-level managers to be
directly responsible for projects which would require sign off on the
security of new technology and systems they wish to introduce. This in turn
means that the business unit must work with the security teams to actively
identify risks within existing and new projects.

Ultimately this puts the security teams into an advisory role that would
work alongside the business unit to report on the risks of current projects.
It would require them to provide the visibility in to the impact that
proposed changes to a network would have on the organisation's overall
security posture.

Blame is not the name of the game

Addressing the issue of internal accountability isn't about apportioning
blame to specific people or teams, but to highlight the need for one group
to take ownership of security. Being directly responsible for security would
make project managers more diligent about security concerns, and in the
event of a breach, the entire organisation would be able to say that all the
necessary steps were taken to reduce the risk of a cyber-attack.

By defining the roles and responsibilities within an organisation relating
to accountability, security and project management teams can work together
more effectively, allowing the organisations to function better, and improve
the overall efficiency of security. By putting security teams in an advisory
role, and removing the threat of them being held accountable for breaches
allows them to provide unbiased, and subsequently, better risk management
advice which will increase the overall security posture of the organisation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.