BreachExchange mailing list archives
Re: The security blame game: Who should be held accountablefor a breach?
From: "Al Mac Wow" <macwheel99 () wowway com>
Date: Thu, 24 Oct 2013 17:31:24 -0500
Thanks for all the wonderful info, but this is a bogus article. Boardrooms and CEOs do NOT rely on IT to provide security. High levels of corporate management provide IT with a budget which is often inadequate to do the job properly, and can take sides with different portions of the company when there is a difference of opinion between security guidelines and other corporate goals. An important job for the corporate leaders is to maximize profits and minimize costs. They often look upon accounting and IT as expenses they would love to get rid of, not seeing the benefits to the company by having such departments. I could tell you tons of anecdotes about the difference between the article and reality, but this stuff is confidential. The IT workers get paid by the company to do the job, which often has to be inadequate due to mandates imposed upon the people who do the security work. The bottom line is that the top of a company tells the bottom of a company what to do, not the other way around. The IT workers do not have whistle blower protection, nor a legal framework like a certified accountant. Responsibility for anything going wrong should land with the people who give the orders, not the people who struggle to obey them. As an IT worker, I have been given many government forms to figure out how to fill out, which included identifying who filled them out. Once upon a time I got a call from a government official asking me follow-up questions, which included asking me what my job title was. Then he said the form needs to be filled out by the CFO. I said No Sorry, the CFO gave it to me to fill out. He is my boss. He tells me what to do, not you, and furthermore, nowhere on the form or its instructions did it say who is to fill it out. We could have given it to the janitor, and asked him to fill it out, but I did the best job I could that was asked of me by my boss. He then asked to speak to the CFO. I declined. I told him that my boss had previously told me not to forward any calls to him, because he is getting more calls than he can handle. I am not going to defy my bosses orders at your request. You need to initiate a new call, and specifically ask for him. Al Mac = Alister William Macintyre. _____ From: dataloss-bounces () datalossdb org [mailto:dataloss-bounces () datalossdb org] On Behalf Of Audrey McNeil Sent: Wednesday, October 23, 2013 2:02 AM To: dataloss () datalossdb org Subject: [Dataloss] The security blame game: Who should be held accountablefor a breach? http://www.itproportal.com/2013/10/18/security-blame-game-who-should-be-held -accountable-breach/ With the ever increasing threat of cybercrime knocking on one's door, many large organisations are reliant on IT security teams to protect their vast network from attack. As many Chief Information Security Officers (CISOs) will attest, the larger the network, the more complicated the job. According to Gartner more than 95 per cent of firewall breaches will be caused by firewall misconfiguration, not firewall flaws. Within large organisations there is the possibility of having potentially hundreds of firewalls, network switches and routers from numerous vendors with unpatched systems and various other network vulnerabilities, all of which can provide a route in for attackers. Misconfiguration of firewall rules and policies can pose a serious security threat, and constant diligence in patching firewalls, monitoring configuration and assessing the rule base is required to maintain security. But what happens when a breach has occurred? Can an individual be held accountable, or is it fair to put the responsibility entirely on to your security team? Who is accountable if the board doesn't listen? There is a wealth of information from every vendor offering opinion on the safest way to keep your organisation protected, yet very little is said about who should ultimately be held accountable should a data breach occur. Boardrooms and CEOs rely on CISOs and security teams for advice and guidance on security, and crucially have the control of budgets. Problems arise when security teams are held accountable for breaches, even if they have already highlighted the issue to the board, who subsequently decided not to take action on the advice. In the eyes of the public, when a data breach occurs it is often the boardroom who must take overall responsibility, but other than the obvious financial losses and reputational damage, there is often very little individual internal accountability. Board members can improve internal accountability by requiring the business unit or mid-level managers to be directly responsible for projects which would require sign off on the security of new technology and systems they wish to introduce. This in turn means that the business unit must work with the security teams to actively identify risks within existing and new projects. Ultimately this puts the security teams into an advisory role that would work alongside the business unit to report on the risks of current projects. It would require them to provide the visibility in to the impact that proposed changes to a network would have on the organisation's overall security posture. Blame is not the name of the game Addressing the issue of internal accountability isn't about apportioning blame to specific people or teams, but to highlight the need for one group to take ownership of security. Being directly responsible for security would make project managers more diligent about security concerns, and in the event of a breach, the entire organisation would be able to say that all the necessary steps were taken to reduce the risk of a cyber-attack. By defining the roles and responsibilities within an organisation relating to accountability, security and project management teams can work together more effectively, allowing the organisations to function better, and improve the overall efficiency of security. By putting security teams in an advisory role, and removing the threat of them being held accountable for breaches allows them to provide unbiased, and subsequently, better risk management advice which will increase the overall security posture of the organisation.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- The security blame game: Who should be held accountable for a breach? Audrey McNeil (Oct 24)
- Re: The security blame game: Who should be held accountablefor a breach? Al Mac Wow (Oct 25)