By: Jeff Hoskins, senior consultant, CISO Advisory
According to the 2022 Verizon Data Breach Investigations Report, 82 percent of data breaches had some human element, such as phishing, misused credentials, or other human error. We often hear that “security is everyone’s responsibility.” While each person has a part to play in their organization’s security, there must also be accountability for the overall results of the organization’s security program and culture. So in the event of a security incident or data breach, where does the buck stop?
What does accountability for security look like?
There will always be risks, and there’s always something you could have done differently to mitigate those risks or prevent an incident from happening because of those risks. The person that takes accountability is the one that says, “I recognize we could have done these things, and we didn’t.”
Where does the buck stop?
Overall accountability for security should rest at board level, with the company CEO or top leader in the company. While it’s the role of the CISO, vCISO, or internal security guru to advise on risk and implement the security strategies approved by leadership, accountability lies with those that make the ultimate business decisions. The company leader can delegate almost everything except for accountability.
Too often, the CISO or security advisor is used as a scapegoat in the event of a major hack or data breach. Whether it’s an internal or external advisor, the individual in the lead security role is ultimately one of an advisor. Their job is to measure risk and communicate it clearly and effectively to leadership, who is ultimately accountable.
When leadership is armed with the advice of the person in the security role, they have the authority to make decisions on which security strategies will be implemented based on time, budget, and personnel. Leadership should be involved with all major decisions that impact a company’s people, processes, and technology. If a CISO or member of the security team were held entirely accountable for cybersecurity risk, they may choose to implement every effort to mitigate as much cybersecurity risk as possible. And while that sounds great, prioritizing cybersecurity above all other business needs could have major impacts on other critical business objectives, including finances or productivity levels. Business leaders that see the entire picture can weigh the competing interests, take risk into account, and prioritize those interests to make ultimate decisions—even if that decision is to take on security risk in favor of low cost.
The security role
A CISO is ultimately responsible for the confidentiality, integrity, and availability of a company’s information assets, including data and systems. The CISO has a seat at the table for all critical projects to advise on potential risks to the people, processes, and technology of the organization.
As a risk advisor, the CISO must be a business enabler. This means understanding how security risks impact overall business objectives and communicating those risks clearly and effectively to non-technical stakeholders.
Companies that are not yet at the point of hiring a full-time CISO may choose to hire a virtual CISO (vCISO). Utilizing a vCISO allows your business to use their services as you need, making their time flexible and scalable on short notice, while reducing the costs associated with headcount. A vCISO can also offer an independent perspective, which not only reduces potential conflicts of interest, but also provides a unique viewpoint from outside your organization.
Leadership can delegate the following responsibilities to a CISO or vCISO:
- Risk management
- Governance and compliance
- Business enablement
- Security operations
- Security budgeting
- Identity and access management
- Legal and human resources collaboration
- Selling security culture internally
- Preparation for assessments like SOC 2 and ISO 27001
For an in-depth explanation of the responsibilities of a CISO, check out BARR’s State of the CISO whitepaper.
If you have confidence in your product and your business, ensure you also invest in security. If you don’t know where to begin, hiring a professional to serve as a sounding board is the place to start.
Have questions about security accountability or interested in learning more about how a vCISO can help your organization? Contact us today.
About the Author
Jeff Hoskins, Senior CISO Consultant
As a Senior Consultant in BARR Advisory’s CISO Advisory practice, Jeff Hoskins supports all consulting service offerings. Jeff leads small-to-medium sized businesses with developing, maintaining, and growing cybersecurity programs. He also plans and executes various engagements, vendor risk management assessments, policy documentation, and audit assistance.
Jeff has extensive experience leading information security programs. Prior to joining BARR, he was an information security manager with a large enterprise level health technology company. He holds a Bachelor of Science from Winthrop University and an MBA from the University of South Carolina. Jeff has also earned and maintains certifications including PMP, CISM, and CISSP.