The CISO, the CIO, the CEO, or you: Who is really responsible for cybersecurity? Tim Holman speaking to ZDNet
The security threat continues to grow and IT leaders struggle to deal with an ever-increasing danger. Yet the cyber threat, however significant, only forms one element of corporate security. So who should be responsible for security and how can businesses adopt a more proactive stance to the threats they face? Five IT experts give their views.
1. Make security the responsibility of every employee
“The chief executive – and everyone else,” says David Allison, when asked who is responsible for security within an organisation. The head of business systems at Aggregate Industries says the CEO should be accountable for security, but every employee should take personal responsibility.
“Security is not about lock-down and prevention,” says Allison, although firewalls and anti-virus and other IT measures should be taken as a given, “Great security is all about education, awareness and individual responsibility.”
He says the CEO needs to take a personal interest in ensuring he or she has the team in place to train the workforce in a broad range of areas, such as handling emails, monitoring suspicious links and establishing password practices.
“Security needs to be an embedded culture within the organisation,” says Allison. “The CEO puts this culture in place. The Chief Information Security Officer (CISO) designs and executes the strategy to meet this need – and every employee is responsible for ensuring they adopt and follow the required practices.”
2. Do not rely on technology products
Tim Holman, president of the Information Systems Security Association in the UK (ISSA-UK), says accountability within a business always lies with company owners or boards of directors. Some boards might make a CIO, CISO, or IT manager responsible for security, but these individuals can never be held accountable.
“Businesses need to realise just how big of a threat they face from doing business online, or putting data in the cloud,” says Holman. “While businesses might make a CIO responsible for implementing a cloud solution, the business will always be held accountable if something goes wrong.”
He says firms should start developing a proactive stance to cyber security threats – and they can do this through simple risk analysis, or following standards such as IASME or Cyber Essentials. Holman says understanding grows when he spends time with a CEO, or the board, and explains in simple terms the risks of their company doing business online.
“The cyber threat cannot be solved by buying products,” he says. “A common-sense approach of reducing the amount of sensitive data stored, booting out insecure suppliers, restricting access to information and getting cyber liability cover will often be ten times as effective and ten times cheaper than the next generation security appliance with flashing lights sold to you by expert salesmen.”
3. Manage the perils of mobile device ownership
David Reed, head of information services and infrastructure at the Press Association (PA), says the discussion over security is a complex one, but he is ultimately of the opinion that the buck stops at the top of IT. “If as a CIO you’re not able to represent the perils of failing to stay ahead of the game when it comes to security, you’re not doing a good enough job,” he says.
Reed says one of the most important areas for PA is mobile management. He says the firm’s journalists deal with extremely sensitive information, and the threat of a device being hacked, while serious, is not nearly as prevalent as the threat of one simply being lost or stolen. The firm worked with EE to implement a COPE (corporate owned, personally enabled) mobile strategy, using Samsung S4 Minis and the firm’s Knox security system.
“A container can be created within each of the phones to enable work documents, emails and contacts to be stored separately from anything personal. Essentially our journalists have two areas on their phones — one for personal use and one for work,” says Reed.
“At PA, we help the journalists by recommending apps. We followed this exact principle for this year’s Commonwealth Games, by sending the journalists at the event a text to download the Team GB app. This app was whitelisted and simply installed in the container.”
4. Get the chief executive to sponsor governance initiatives
Omid Shiraji, CIO at Working Links, says responsibility for security is completely related to the organisation and the nature of its business. He is also not persuaded about the need for a dedicated CISO in most organisations.
“IT security is a commodity where you can go and buy products and expertise from a provider,” he says. “The same is true in regards to business security in many cases – the processes and governance are a commodity that you can purchase as a managed service.”
Shiraji says he would rather spend his limited IT budget on front-line operations, and then draw on specific expertise to help protect his data and guide his staff. The organisation recently received ISO 27001 accreditation and the communications support from the chief executive proved essential.
“People change their behaviour because they hear the CEO talking about the important consequences of insecure activities,” he says. “IT security is actually every employee’s job but the CEO must sponsor any security and governance initiative at the organisation – and that’s what happened at Working Links.”
5. Create a pragmatic, risk-aware culture
Julian Self – an experienced CIO, who has worked at a number of finance firms – takes a different view, and says the importance and prominence of the CISO to the business continues to grow. Self says it is the CIO’s job to advocate the benefits of a security specialist to the rest of the c-suite.
“In an already hyper-connected world, and with the advent of the Internet of Things, the job of securing a business’s information grows infinitely more complex as information streams in and out of numerous devices,” says Self, who says the threat landscape continues to evolve.
“The CISO will not be successful unless they have the buy-in and engagement of the business. Without this, they will simply be perceived as a business blocker and their efforts circumvented,” he says.
“Fundamentally, CISOs need to create a pragmatic, risk-aware culture where information security is subconsciously considered across all aspects of business. This approach must go hand in hand with the response to incidents that are proportionate and without scaremongering, and the management and mitigation of risk, ultimately reaffirming confidence from the business.”