BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

You’ve been breached: Who should be held accountable?

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 27 Sep 2013 19:00:00 -0600
https://bdaily.co.uk/opinion/27-09-2013/youve-been-breached-who-should-be-held-accountable/

With the ever increasing threat of cyber-crime knocking on one’s door, many
large organisations are reliant on IT security teams to protect their vast
network from attack.  As many Chief Information Security Officers (CISOs)
will attest, the larger the network, the more complicated the job.
 According to Gartner more than 95% of firewall breaches will be caused by
firewall misconfiguration, not firewall flaws.

Within large organisations there is the possibility of having potentially
hundreds of firewalls, network switches and routers from numerous vendors
with unpatched systems and various other network vulnerabilities, all that
can provide a route in for attackers.  Misconfiguration of firewall rules
and policies can pose a serious security threat, and constant diligence in
patching firewalls, monitoring configuration and assessing the rule base is
required to maintain security.

But what happens when a breach has occurred? Can an individual be held
accountable, or is fair to put the responsibility entirely on to your
security team?

Whose accountable if the board doesn’t listen?

There is a wealth of information from every vendor offering opinion on the
safest way to keep your organisation protected, yet very little is said
about ultimately who should be held accountable should a data breach occur.
 Board rooms and CEOs rely on CISOs and security teams for advice and
guidance on security, and ultimately have the control of budgets.  Problems
arise when security teams are held accountable for breaches, even if they
have already highlighted the issue to the board, who subsequently decided
not to take action on the advice.

In the eyes of the public, when a data breach occurs it is often the board
room who must take overall responsibility, but other than the obvious
financial losses and reputational damage, there is often very little
individual internal accountability.  Board members can improve internal
accountability by requiring the business unit or mid-level managers to be
directly responsible for projects which would require sign off on the
security of new technology and systems they wish to introduce.  This in
turn means that the business unit must work with the security teams to
actively identify risks within existing and new projects.

Ultimately this puts the security teams into an advisory role that would
work alongside the business unit to report on the risks of current
projects.  It would require them to provide the visibility in to the impact
that proposed changes to a network would have on the organisation’s overall
security posture.

Blame is not the name of the game

Addressing the issue of internal accountability isn’t about apportioning
blame to specific people or teams, but to highlight the need for one group
to take ownership of security.  By being directly responsible for security
would make project managers more diligent about security concerns, and in
the event of a breach, the entire organisation would be able to say that
all the necessary steps were taken to reduce the risk of a cyber attack.

By defining the roles and responsibilities within an organisation relating
to accountability means that security and project management teams can work
together more effectively, allowing the organisations to function better,
and improve the efficiency of security.  By putting security teams in to an
advisory role, and removing the threat of them being held accountable for
breaches allows them to provide unbiased, and subsequently, better risk
management advice which will increase the overall security posture of the
organisation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: