Cyber security: whose responsibility is it anyway?
9 February 2017
Who should be managing cyber security? In practice it’s often someone in the IT function. But the case for responsibility lying outside IT is a strong one. Teiss guest blogger Stuart Reed, NTT Security’s global product marketing director, makes the case for independent oversight.
We all agree protecting a company’s critical information is essential. High-profile data breaches mean we know that losing information can mean a drop in market share and stock price. But one thing there is little agreement on is who is responsible for information security in a business.
While it’s often suggested that collective responsibility for security is the way forward, this simply pushes the overall duty around the table with no single person taking control. To better manage information security, organisations need a security champion who sits outside the IT department.
This could perhaps be a Chief Information Security Officer (CISO), someone who has an independent role and a budget they control themselves. In fact, 54 percent of organisations already have a CISO in charge of their security programs, according to the Global State of Information Security Survey 2016.
What’s not so clear is where the CISO function sits within the business, or how autonomous this function has become.
What is clear is that security should be a function in its own right. The information security budget often sits within IT but the danger here is that funds may be allocated to IT tools designed to help solve the problem – like additional network security. Yet many of today’s breaches are not the result of technology failings. Cyber attacks are just as likely to be the result of people ignoring the signals the technology is giving – either because of security-alert fatigue, or there not being enough resources to constantly monitor the systems and analyse the alerts.
IT security strategy
The root of many breaches is within the organisation and can be intentional, although it is more likely to be accidental. And the cost of mitigating these breaches is rising, giving organisations the financial incentive to focus on improving IT security.
But a strategy that necessitates spending money on more tools to reduce risk is part of the problem and is very different from a strategy that concentrates on driving education and awareness.
Diverting a significant sum to creating education and awareness programs for employees can make a difference, and is potentially one of the most important things an organisation can champion. In NTT Security’s latest Risk:Value report, 46 percent of respondents identified the workforce as being one of the organisation’s main security weaknesses. Understanding that people – and not just technology – are the solution to the problem is a step in the right direction.
Another, and very crucial, step in deciding where responsibility should lie is for organisations to fully understand their current risk exposure across all areas of the business. A risk assessment service, for example, would look for vulnerabilities in multiple areas including compliance, incident response, technology, cloud security, operations and supplier risk. In addition, targeted penetration testing would provide insight into security threats. Using this evidence to inform decisions can be a useful way to understand risk exposure. The end result should include a detailed road map to help organisations manage their security, educate their workforce and create an in-depth action plan, including a business case for where responsibility should lie.
Security in the boardroom
A security incident can have a long-lasting effect on a company and the good news is that the industry now sees security as a boardroom issue. The CEO will ultimately be accountable for a major breach but will need high-level, informed advice from an expert who can articulate the business risk, influence the workforce, and work with the regulators. And the board must ensure that there is executive ownership and budget available to manage security effectively.
In an ideal world, it will be the CISO, part business professional, part technology expert and part analytical thinker, who would take ownership of the security function and its budget. But CISOs, or at least CISOs with these skills, are in high demand and short supply. (If you have one of these people you should hold on to them!)
So what can you do if your business can’t find the perfect hire immediately? Consider outsourcing the function of security champion to a third party expert who can help you define the security strategy, manage compliance requirements, and respond to the changing technology landscape.
However, not all providers are the same. Find one that is prepared to work within your business model and to support your strategic aims – not to their own agenda. One that will give you access to their collective global knowledge and systems, and to their highly experienced people. This will give you the active threat management required to help mitigate risk at a time when the security skills gap is becoming increasingly hard to fill.
Stuart Reed is Senior Director, Global Product Marketing at NTT Security and is a highly skilled and motivated marketer in the IT industry. With more than 15 years’ experience in product based roles across world-class brands, Stuart has built a strong reputation as a thought leader on various areas including managed and professional services, risk management, cyber security and the cloud.
Since being appointed Senior Director, Stuart has been directly responsible for the product marketing function on a global basis to define, build and deliver strategic messaging across the organisation’s whole security and risk portfolio while developing new and compelling value propositions to bring to market.
Stuart also held several senior roles spanning hardware, software, mobile and cloud based technologies. Before joining NTT Security, he led his own marketing consultancy and additionally worked for global brands such as Sony and Symantec.