Who do you think should take the blame when a data breach strikes?
It is now common for a data breach to impact millions of people in one foul swoop, delivering a crushing blow to the targeted organisation both financially and in terms of reputation.
An important question emerges from the smoke and debris of the disaster, who are we going to blame? The threat landscape has transformed, and no longer does the problem begin and end within a designated IT department.
With the potential damage so severe, shareholders are now becoming aware of the risk of a successful cyberattack, bringing executives directly into the firing line. This shift has even brought board members into play, and particularly the c-suite.
Bill Evans, Vice President of Marketing, One Identity, said: “With the latest catastrophic breach of the US credit rating agency, Equifax, it’s not too much to wonder, who is to blame for this situation and what price should be paid. As with most complex situations, the answer is rarely one person, but unfortunately, in the court of public opinion, a myriad of sacrificial lambs will unlikely suffice.”
Facing the firing squad most commonly is the Chief Information Officer (CIO), and while this may be unjust, it is often the only option businesses are left with to stem collatoral damage to reputation.
All is not lost for those carrying the heavy burden as CIO, with preventative measures taken into account, the holder of this c-suite role can avoid being dispatched with such swift vengeance.
Ensure clear visibility
Sean Herbert, UK Country Manager, Baramundi, said: “Chief Information Officers (CIOs) are often held responsible for breaches to the systems they are managing, despite the fact that they are not the ones directly installing, managing and updating their businesses’ various endpoints and security features.”
“If the breach is sufficiently serious, CIOs are often sacrificially offered up to try and limit reputational damage to the business; as more companies suffer breaches, the CIO position becomes ever more vulnerable. They can protect themselves by making sure that they have clear visibility into every aspect of their professional domain, and that the efforts that need to be undertaken are done proactively and as soon as they are actionable.”
Get ready for GDPR
Mike Pittenger is VP security at Black Duck Software said: “If security is not treated as a priority, and regulatory standards like GDPR are not addressed with appropriate measures, I believe CIOs are placing their careers in jeopardy. The consequences of breaches, financially and reputational, are simply too great for organizations. Like any other critical role, performance matters.
“IT and software security are not the sole responsibility of a CIO, CSO, or any other role. They require top-down support from the executive teams and Boards of Directors. The next step is to understand the risks the organization faces: Who are their likely attackers? What information or IP will be targeted? What are likely attack vectors?
“Patching publicly disclosed vulnerabilities in commonly used open source components should be the easy part, assuming one is tracking those components closely and monitoring for new vulnerabilities. Commonly used tools for identifying unpatched systems, like vulnerability assessment tools, do NOT usually cover this area. Instead, they focus on unpatched commercial products and configuration issues, and are blind to the vulnerable components used in custom applications.”
Put the right technology in place
Tony Pepper, CEO, Egress said: “We’re now living and working in a world where security breaches can happen at any moment and the causes differ hugely. While organisations need to be doing everything they possibly can to protect their data, no-one is infallible. There’s always going to be individuals who fall on their swords when a situation happens, but that is the case for any business in crisis – someone must be seen to take responsibility.”
“CIOs today have got an incredibly difficult job and it’s unlikely to get easier. More technology means more potential breach points and it’s a constant game of cat and mouse trying to plug the holes. That of course does not excuse those who have ignored issues or failed to take measures to avoid security incidents, but it should stop us rushing to apportion blame. In reality it’s a CIO’s job to protect their business, not just themselves and the only way to do so is to ensure that the organisation is as protected as it can be through regular security reviews, including assessments of third-party providers, and ensuring the right technology is in place to catch any potentially harmful situations.”
Create a cultural shift
Martin Ewings, Director of Specialist Markets at Experis, said: “People are the biggest vulnerability to security. Without the correct training, staff members could unknowingly give hackers access to crucial files or data, counteracting any technological defence efforts. While businesses are becoming more aware of this as a threat, there is still a long way to go in terms of improving organisational intelligence around security; and as a result, IT security needs to be pushed up the board’s agenda to be taken more seriously.
“The most effective way for CIOs to tackle threats is to change the perception of IT security across the entire organisation. Starting from the top down, putting it on the board’s agenda and ensuring that every department recognises the impact that a breach could have on the business will encourage each individual to reconsider their approach to security. The most important move a new CIO needs to make is this cultural shift towards a more considered security strategy throughout the organisation.”