SC Congress London mulls data breach responsibility

News by Tony Morbin

Delegates and panelists debate breach liability, response, and the need for a plan of action.

The conference kicked off with a keynote on data breach responsibility, citing the Target case. Is the CEO deciding the security budget responsible for breach, or is it the CISO who spends it? Forrester security analyst and former CISO Andrew Rose says both must share responsibility – if the CISO had the chance to articulate security concerns at board level.

“Its shared accountability, although ultimately it comes back to the CEO funding cyber security properly.” Rose added that CISOs ‘must be asking the right questions to get their budget and said that they should ensure that the right structure is in place for things like training.
Fellow panellist Becky Pinkard, security operations director for Pearson, agreed that accountability is a ‘complicated issue, with each case likely to be different, and levels of responsibility needing to be commensurate with authority.

Cyber security consultant Dr Jessica Barker added: “It also comes down to the culture. Are people willing to stand up and say when there has been an incident? You can only do so much protect, but can do a lot to respond. Firing isn't always the right way.”

 “We know breaches and attacks happen but it's ‘how are you going to communicate?'” said Rose, adding, “This comes down to having a plan, and knowing how your company will communicate properly.” Communication can be improved with security awareness training, said Derek Bates, trust information security officer at North Cumbria University, in another panel. “The whole thing with security awareness training is not to teach…they have too much [on]. What I am trying to do is to change the way they think and perceive what's around them.”

PCI compliance is a ‘tick box' exercise

Point-of-sale and PCI compliance is tied to many data breaches – as Target, recent Trustwave GSR report figures – and some panellists suggest, that PCI compliance is often treated as a ‘tick box' exercise. The panel agreed that compliance was no substitute for security, with the analogy, you wouldn't top repairing and maintaining your car just because it passed its MOT.

At a panel on the EU's new data protection law, awaiting EC approval, Stewart Room, partner at Fields Fisher Waterhouse LLP, said that: “Regulators and courts throughout Europe are acting as if the proposed legislation (due by 2017) were already in force,” citing Google's court case in Spain on the ‘right to be forgotten'.

Buzzwords and spying apps
A highlight was the “Not so smartphones” keynote demonstration and discussion on how ‘smartphones' are not  so smart. SensePost's Daniel Cuthbert and Glenn Wilkinson discussed risk mitigation, but also ‘sniffed' the audiences to demonstrate just what data their phones were sending out about them – and what more could be obtained by those who ignore the law.

The penultimate panel of the day focused on the Internet of Things with Barry Coatesworth, a CISO in the retail sector, and Eddie Copeland, head of technology policy unit, Policy Exchange, admitting that while the security issues are clear, there remain doubts whether such devices can be regulated and so represent a new avenue for cyber-criminals. “In the rush to get to market with smart devices, companies are ignoring security issues; some are potentially very serious,” said Coatesworth.

SC Congress events are free to attend for IT security professionals. If you missed earlier events this year, there is another opportunity in November 2014 – see the SC website and Twitter for details of topics and speakers.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews