Executive Responsibility
Liability for data breaches that impact customers leads directly to the C-suite. Executives have an ethical, professional and, in many cases, legal obligation to personally know the strength of their company’s cyber defenses, as well as the company strategy for countermeasures and responses to attacks and breaches. However, a survey conducted as recent as 2017 (post infamous breaches including Target, Sony and Equifax) revealed that only 40% of executive teams had a good understanding of their cyber security protocols and capabilities (Sweeney, 2017). The lack of understanding includes both tactical and strategic gaps. Methods of resolving the tactical gaps include annual vulnerability assessments and incident response tests (Khiabani, 2014). However, a more impactful method for closing the gap is for the C-suite, specifically the CEO, to establish a stronger rapport and working relationship with CISO (Sweeney, 2017). While the CISO has the responsibility to identify risks and implement protocols, it is the line of business (LoB) executives’ responsibility to understand and implement security procedures across the business.
Liability for data breaches that impact customers leads directly to the C-suite. Executives have an ethical, professional and, in many cases, legal obligation to personally know the strength of their company’s cyber defenses, as well as the company strategy for countermeasures and responses to attacks and breaches. However, a survey conducted as recent as 2017 (post infamous breaches including Target, Sony and Equifax) revealed that only 40% of executive teams had a good understanding of their cyber security protocols and capabilities (Sweeney, 2017). The lack of understanding includes both tactical and strategic gaps. Methods of resolving the tactical gaps include annual vulnerability assessments and incident response tests (Khiabani, 2014). However, a more impactful method for closing the gap is for the C-suite, specifically the CEO, to establish a stronger rapport and working relationship with CISO (Sweeney, 2017). While the CISO has the responsibility to identify risks and implement protocols, it is the line of business (LoB) executives’ responsibility to understand and implement security procedures across the business.
Responsibility of the CEO
The CEO, as the top executive in the company, has the responsibility to manage risk which includes cyber security risks. The CEO needs to model the importance of cybersecurity by having direct involvement with senior security executives who drive the cyber security strategy throughout the organization. (Kaplan, et al., 2011). CEO’s must continually educate themselves and the Board of Directors (BoD) on cyber security as this risk is inherently dynamic. |
Responsibility of the CISO
The role of the modern day CISO is to provide the leadership and guidance necessary for an organization to manage the risks to the confidentiality, integrity and availability of the organization's intellectual property and information technology assets (Wild, 2017). This includes security policies, procedures, controls, and the ISSP (Information Systems Security Plan), plus creating and building the security organization to support the company. |
References:
Kaplan, J., Sharma, S., & Weinberg, A. (2011, June). Meeting the cybersecurity challenge. Retrieved July 7, 2018, from https://www.mckinsey.com/business-functions/digitalmckinsey/our-insights/meeting-the-cybersecurity-challenge
Khiabani, H. (2014, April 7). Incident Response Exercise Planning Be Ready – Be Prepared. Retrieved July 7, 2018, from https://www.sans.org/readingroom/whitepapers/incident/incident-handling-annual-testing-training-34565
Sweeney, B. (2017, April 24). Cybersecurity Is Every Executive's Job. Retrieved July 7, 2018, from https://hbr.org/2016/09/cybersecurity-is-every-executives-job
Wild, A. (2017). What is the Role of the CISO? Retrieved July 1, 2018, from http://www.infosectoday.com/Articles/CISO_Role.htm#.WzknwtJKjb1
Kaplan, J., Sharma, S., & Weinberg, A. (2011, June). Meeting the cybersecurity challenge. Retrieved July 7, 2018, from https://www.mckinsey.com/business-functions/digitalmckinsey/our-insights/meeting-the-cybersecurity-challenge
Khiabani, H. (2014, April 7). Incident Response Exercise Planning Be Ready – Be Prepared. Retrieved July 7, 2018, from https://www.sans.org/readingroom/whitepapers/incident/incident-handling-annual-testing-training-34565
Sweeney, B. (2017, April 24). Cybersecurity Is Every Executive's Job. Retrieved July 7, 2018, from https://hbr.org/2016/09/cybersecurity-is-every-executives-job
Wild, A. (2017). What is the Role of the CISO? Retrieved July 1, 2018, from http://www.infosectoday.com/Articles/CISO_Role.htm#.WzknwtJKjb1