CEOs and CISOs must share blame for data breaches

News by Doug Drinkwater

Data breaches continue to make the news, with eBay and Target the most prominent of recent victims, but questions are now being asked on which personnel should take the blame.

Following on from the on goings at US retailer Target, which has seen various senior execs depart since its data breach affecting approximately 110 million users late last year, an esteemed panel of speakers considered breach responsibility at the second SC Congress London, which took place at the ILEC Centre in West Brompton on Tuesday.

Becky Pinkard, security operations director for Pearson, said that a lot of what is written on data breaches is a ‘bunch of hype' and added that an investigation into a ‘cross-section of multiple breaches' would likely reveal that most firms are ‘all doing similar things wrong'.

Considering this  further, cyber security consultant Dr Jessica Barker suggested that poor passwords are often seen as  the most likely route into an organisation, but  sometimes wrongly if encryption is not in place correctly and if security training isn't up to scratch on educating users against phishing and social engineering attacks. Employees, she said, are either “the first line of defence or the weakest link”.

Pinkard and Forrester analyst Andrew Rose, a former CISO in the legal sector, stressed that smart companies are implementing incident response plans and may even be looking at cyber insurance. “Making your incident response plan is absolutely key,” said Pinkard. “If you don't have one, build one...even if it's ad hoc.”

For Rose, dealing with the aftermath of a data breach comes down to having such a plan, and knowing how your company will communicate properly on the issue, a criticism levelled at eBay after its data breach two weeks ago.

“You need to think about cyber security resilience…we know breaches and attacks happen but it's how are you going to communicate," said Rose.

Accountability a ‘complicated' issue

In the weeks after a data breach attention turns to who was responsible for the disaster. With the Target breach, the CEO and CIO tendered their resignations, and the big-box retailer has since appointed its first-ever chief information security officer (CISO).

While Pinkard said that accountability is a ‘complicated issue', Rose believes that CISOs and CEOs must share this responsibility, so long as the CISO has had the chance to articulate security concerns at board level.

“It's shared accountability, although I think ultimately it comes back to CEO funding cyber security properly - I think the Target CEO understands that now.”

He added that CISOs ‘must be asking the right questions' in order to get their hands on budget, and said that they should ensure that the right structure is in place for things like training.

Barker added: “It also comes down to the culture so much as are people willing to stand up and day when there has been an incident.”

“You can only do so much protect, but can do a lot to respond. Firing isn't always the right way.”

Rose, intriguingly, expects companies to employ chief privacy officers going forward and anticipates the rise of a ‘new breed of CISO' with no or little security background. They might be program managers who go onto become chief operation officers (COOs), he says.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews