This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Who in an Organization is Responsible for a Data Breach?
Cyber Security NewsSecurity Leadership and Management

Who in an Organization is Responsible for a Data Breach?

finger-cyberenews
August 2, 2018
Cindy Kaplan
KEYWORDS cyberattack / cybersecurity compliance / data breach / security careers
Reprints
No Comments

It is Sunday night, and your favorite team just narrowly lost the game. Who is responsible for the loss? Do you blame the field goal kicker who missed the potential winning kick in the closing seconds? Maybe you blame the quarterback, who always seems to accrue too much credit or blame due to the position, regardless of his performance. Maybe the officials? How about the coach who was in charge of the game plan or the general manager who chose the players?

Now take this same analogy and apply it to the practice of casting blame when it comes to a data breach at a large company. Do you blame the employee who clicked the embedded email link that launched the malware and implanted a rootkit? Do you blame the IT department at large or the CIO for not having the necessary security tools in place to prevent it? What about pointing the blame at the top of the pyramid towards the CEO or the corporate board of directors?

While casting blame for your local team’s loss on Sunday may make for great sports talk, asserting blame for your company’s data breach is an uncomfortable exercise of self-effacement. It is a matter that many company leaders are struggling with. According to a recent survey conducted by the Ponemon Institute, 67% of CISOs expect a data breach or cyberattack in 2018. This was an increase over the previous year in which 60 percent confirmed these expectations for 2017. In addition, 45% expressed worry that they would lose their jobs following a cyberattack on their organization. A nearly identical response was found from a survey conducted at Infosecurity Europe 2017 in which security professional were asked which company position was most responsible in the event of a company data breach. Of the respondents, 40% believed that the CEO would be first on the firing line, followed by the CISO (21%), “Other” (15%) and CIO (14%).

With the intense media spotlight on breaches such as Equifax, Uber and Target, it is no wonder that company executives are worried about their jobs. The general public is far more educated about data breaches and the ramifications of them. A recent global survey of 9,000 consumers across 11 countries, including the United States, shows that 70% of respondents assign the responsibility of protecting and securing customer data lies squarely with the companies themselves.

It is also easy to blame the IT department, who, like the quarterback, often gets blamed for performances beyond their control. Oftentimes, internal IT is restricted to the tools they have at hand. While the IT department can implement industry-leading email security solutions, they cannot hold the hand of every employee each time he or she feels tempted to click an embedded link that got through the filter. According to the Verizon 2018 Data Breach Investigations Report, user error was a factor in 17% of breaches last year.

While accountability starts with the CEO and corporate board, cybersecurity is a shared responsibility across every function and level of an organization. Cybersecurity is a practiced culture within the organization that must start at the top. If management does not take cybersecurity seriously, neither will the front-line employees. You can have all of the latest tools in the world, but without human participation, the ROI of implementing them will never be fully recognized.

In a hearing before the U.S. House Committee on Energy and Commerce, the former CEO of Equifax testified that the ultimate blame of the massive breach that involved the personal information of half of the U.S. population. In his testimony, Richard Smith stated:

“Let me say clearly: As CEO I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans’ private data and we let them down. To each and every person affected by this breach, I am deeply sorry that this occurred. Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize.”

The fact is that other than fully disconnecting from the internet, there is no way to foolproof your enterprise from a cyberattack. Even if you fully disconnected your enterprise from the internet, it would be susceptible to imposters with a USB drive. No matter what the exposure for your enterprise, you must set the level of acceptable risk for the organization. It is important for the IT leadership to work with the leadership hierarchy of the company and help them to understand the importance of defining what this truly is. For many organizations, this is derived from legal and regulatory responsibilities. Defining the company's acceptable risk level falls to management because they intimately understand the company's business drivers and the corresponding impact if these business objectives are not met.

Once your risk level is properly defined, you can then determine your “duty of care” responsibility. Duty of care refers to the actions or steps that a reasonable person would take in order to protect against a data breach. Duty of care helps define the balance between what security measures are necessary to prevent foreseeable harm to others without posing an unreasonable burden upon the business itself. It is the responsibility to meet an obligated duty of care that will be the centerpiece of any sort of resulting litigation.

 

Duty of Care Approach

The concept of what is reasonable can vary depending on a company’s size, industry and objectives. Obviously, a small local retail store cannot be expected to implement the same security standards and policies as a mega retailer. What is reasonable to one company may not be reasonable to another for multiple reasons. Because there is no recognized authority that can emphatically state what is reasonable, company leadership must determine how they proceed when it comes to risk, for example:

  • They can take a proactive approach to define what is reasonable for their organization;
  • They can sit on their hands and wait for a regulator to suggest a one-size-fits-all definition of it; or
  • They can wait for litigators to define it in the event of a lawsuit.

 

Needless to say, it is best to define what is reasonable for your company and its circumstances. Before doing so however, it is imperative to perform the prerequisite risk assessment. Some key questions to answer in this assessment are:

  • What sensitive, personal information do we host within our organization?
  • How sensitive is that information and what consequences would transpire if it was compromised?
  • What penalties and costs would our company be liable for if this data were breached?

While there are multiple risk assessment standards available, there is one that specifically deals with this challenge. The CIS® (Center for Internet Security) recently released the CIS Risk Assessment Method (RAM), an information security risk assessment method that helps organizations implement security safeguards against the CIS Controls. CIS RAM is the first to provide specific instructions to analyze information security risk that regulators define as “reasonable” and judges evaluate as “due care.” CIS RAM highlights the balance between the harm a security incident might cause and the burden of safeguards – the foundation of “reasonableness.” CIS RAM conforms to information security risk assessment standards, such as ISO 27005, NIST SP 800-30, OCTAVE and RISK IT.

Once a risk assessment is complete, you can then formalize a plan to mitigate the risks and prioritize efforts to combat those risks. What is reasonable is often defined as what an entity of similar size and sophistication would do to protect the same type of data. Industry best practices can also define reasonable security measures. It is vital for a company to proactively determine what reasonable security precautions to take because in the case of litigation, the court will determine itself what a reasonable effort would equate to, and that would determine your company’s duty of care.

Acceptable Risk is Everyone’s Responsibility

All teams have an interest in protecting the company’s data and network. It is not only up to the IT team to plan and manage cybersecurity. With that, all parties need a seat at the table when reviewing the risk assessment results and develop an aligned security strategy that marries compliance, security and business objectives. Who should be involved?

  1. Executive Sponsors/Board of Directors
  2. Counsel/Legal
  3. IT Team

This ensures transparency and consensus on security protocols. It defines as an organization what was the approach and level of risk, plus the proper documentation on the process. In the event of a breach, these are the considerations every company should have, not only for litigation purposes, but for improvements for better controls.

In the end, accountability is not the same as asserting blame. While company leadership is accountable for the damages resulting from a breach, a combination of tools, training and a culture of security consciousness will help avert any one individual falling on the sword.

It is key for organizations to get alignment on acceptable risk and strategy. The proper risk assessment method provides the balance of compliance, consensus and security. The first step is to define your acceptable risk.

Subscribe to Security Magazine

Cindy Kaplan is a director at HALOCK Security Labs. Kaplan has over 25 years in the regulated industries of accounting & audit and information security. She has served as product/project manager and strategic marketing executive developing and managing compliance solutions. Kaplan received her Bachelor’s degree from Carnegie Mellon University and her Master’s degree at Northwestern University.

Related Articles

Is Your Data Breach Response Plan Ready?

Top 5 Fails from Companies Preparing for and Responding to a Data Breach

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

cybersecurity breach

The Top 12 Data Breaches of 2019

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

SEC1219-Cover-Feat-slide1_900px

Contracted vs. In-House Guarding: No Universal Right Answer

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe. Organizations need to be prepared through a unified and rapid response to these events.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing