Recently at an SC Magazine Roundtable, editor Tony Morbin opened with the observation that while cyber-security is now a boardroom issue, boards are still not taking it seriously enough. A KPMG survey found that 61 percent had an acceptable understanding of what their key data assets were, but only 24 percent were reviewing their information-risk policies.
Is lack of priority due to confusion about lines of responsibility or simply a lack of resources to deal with the problem of cyber-security? Delegates say it's not simple, and it's made more complex depending on whether you are talking about large or small- to medium-size enterprises (SMEs).
Who is responsible?
The KPMG survey of large companies asked where primary responsibility for information security lay: in 16 percent of cases, it was with the chief executive officer (CEO). For 31 percent, it was the chief financial officer and only 15 percent said it was with the chief information officer.
Sarb Sembhi, director at Storm Guidance, said many organisations lacked a clear understanding of the board of director's approach to risk management.
For Roger Dean, head of specialist projects at EEMA, securing the supply chain was a major issue for most companies, and this was a theme picked up by Darren Argyle, global CISO at Markit.
According to Argyle, CISOs agree that supply chain security is a priority, but there are two sides to the issue: reporting on security issues to clients and how your own vendors report their security issues to you. He suggested the need for a shared platform for security reporting.
There was support for Stephanie Daman, CEO of Cyber Security Challenge UK Ltd, who said that at the board level it was about convincing directors that the issue is information security, not IT security – that the threat comes from losing control of the information rather than controlling the technology.
Ultimately it's the CEO's responsibility to address the issue of information and cyber-security, said Lorraine Spector of the LS Consultancy. Even if the CEO doesn't understand the issues he or she is dealing with, a value can still be put on the information and the consequences of losing control of it. From there, the focus on the issue should cascade down through the organisation, but it has to come from the CEO with budget responsibility.
Argyle added that to do this, the CEO and the board have to determine the organisation's appetite for risk.
Rajan Chada, director at IBN, noted that in the UK there are 4.9 million SMEs, each holding data on an average of 10,000 customers.
Sembhi said there is a danger in assuming that all SMEs are alike when in fact they are diverse in size, markets, experience and skills. These factors will influence how organisations approach security and who is responsible.
Dean asked if cyber-insurance was the answer. Insurance mitigates against losses with the insured risk put under the scrutiny of an insurance company.
Daman expressed concern that outsourcing risk could encourage a lax ‘tick box' approach, but Argyle countered by reiterating Dean's point that it could encourage companies to increase security.
Sembhi said that insurance can be used as a risk management tool but in reality it is only one of many.
All of which suggests that liability and insurance may be the levers by which the CISO will be empowered to influence the CEO and the board to tackle information-security.
For more information on SC Magazine's Editorial Roundable Series, please go to www.scmagazineuk.com