Roundtable: C-suite responsibilities in the case of a breach

SC Magazine's most recent roundtable opened with the question, when it comes to a breach, where does the buck stop? Who own's the breach?

Where does the buck stop when the inevitable happens?
Where does the buck stop when the inevitable happens?

SC Magazine's most recent roundtable opened with the question, when it comes to a breach, where does the buck stop?  Who own's the breach?

Broadly, there wasn't much disagreement. Bruce Beadle, ISO at AtCoreTec put it plainly: "ultimately the responsibility lies with the board", and within the board, its the CEO that provides leadership - ensuring the right policies are in place, and employing the right people with the right skills and authority, who understand what their role is to implement the policies.

The answer came faster and more decisively than expected and perhaps at that point we might have called it a day and gone home. 

That might be true, added Esther George, director of cyber-crime and prevention at 8man and formerly of the Crown Prosecution service. But relinquishing that responsibility solely to the board might not be the best idea: "Risk does belong to everybody in the business and giving staff the idea that it doesn't apply to them is dangerous".

This view was supported by Beverly Allen, group risk manager at Photobox, who commented, "risk belongs to the business, all of the business".

Tony Collings, a veteran of the military and the information security industry as well as SC roundtables, recalled the TEWTS from his army days, otherwise known as Tactical Exercises Without Troops. Such an exercise, noted Collings, creates "A scenario in which you exercise through, and its requires everyone from the top, to the bottom to the middle to take part".

How to make the business realise that though? there's the rub, suggested Hiten Vadukul, enterprise architect at Virgin Active: "The challenge that we often find is how do you make people accountable", with organisations he has worked with in the past using learning through 'interactive scenario based courses' with results, or learning, measured.

The table returned to this subject later that morning.  George made the point that when using Facebook, "How many of us have ticked the box that all of our pictures belong to them?" The point being, people compromise their employers with innocuous mistakes that are made every second of the day. 

That all-important accountability is nothing without employees understanding how they're accountable and what they're accountable for. Beverly Allen put it best: "If you don't enforce policy you don't have a policy". 

The table voiced a certain dissatisfaction with the people who are supposed to be training employees, often the Human Resources department. Frequently HR not only fail to understand how important data is, but fail to train employees intelligible ways to secure it. Dido Harding was not criticised for stepping forward to explain her company's breach, but it was felt there had been a failure of training and communication.

The human factor, unfortunately, will always be the weak point. Education is our line of defence against that inevitability, said Mark Reid of the Government and Policing Relationships Team at the National Crime Agency. This is an education problem, "its fashionable to play the blame game" said Reid, but just an "investment of 20 hours a fortnight can save a lot of heartache down the line."

Moreover, said Allen, there needs to be a culture of compliance where managers are actually monitoring their own teams. Compliance was one aspect the board understood, thus the role of compliance managers was seen as a vital component - but not the lead.

Essentially, you have to make it as easy as possible for employees to be educated, and therefore, compliant. Perhaps, said George, "You should have software in place that enables them to only do the right thing", like  "software which stops them using usb sticks" or posting passwords publicly. The idea of 'consequences' was popular too.

But accountability doesn't end at the front doors of the business. Plenty of breaches, such as Morrisons, occured through third parties working with the breached company.  Companies can take as much care as possible, and still be compromised through their affiliates. Thus contracts managers had a role to play too.

Vadukul noted that when PCI first came out, one had to be certified against that standard - there is no such unifom standard for breaches: "Response plans will change depending on the company you're at, but there's no regulation for it".

Yes, noted Sarb Sembhi, CISO at the Nord Group, but "not every organisation is the same". Different organisations have different needs, different goals and keyly, different risk appetites."

Richard Turner, EMEA president at FireEye, sponsor for the day, doubled down: "We have a problem with the word compliance - business risk is unique to the organisation in question."

These regulatory insufficiencies can come to a head when talking about who is the data-owner? Sembhi brought up the issue of what role the data controller would have, mandated under new EU GDPR rules coming into force now. George questioned their ability to be held accountable saying: "You can be the data controller, but if you're not a member of the board you're not going to get heard anyway".  And the skills shortage made it likely that the data controllers would often be a new responsibility for an existing role, or in smaller organisations like lawyers, likely outsourced.

One thing's certainly clear the gap between the where the buck stops and where it passes through has to be closed.

Reid closed the roundtable on a cautiously optimistic note. In this area, said Reid, "There is a new thing emerging, a new functional system of decision making and I still think we're in the early stages". Reid held his step:  "I think there is a massive crying out for leadership to take a step back and have a look at what's happening; a systematic strategic analysis of what's happening".

He was talking about the disconnect between those in IT who understand the technology involved in the causes of breaches but do not have a commerical or risk-based approach to business, and the majority of boards and CEOs who ultimately own the business risk but no longer always understand the nature of the risks for which they are responsible and the consequences their actions or inactions may now cause, making them not best placed to implement solutions, let alone drive business-wide transformation to a security culture.

So while CEOs, CIOs, CTOs, CISOs, HR, PR, Communications, Legal, Compliance, Audit, and customer services amongst others, all have their role to play, security is a team game, but some of the players have yet to have the rules explained to them.