Should Tech Bosses Be Responsible For Data Breaches?

amazon, cyber security

C-level tech executives should be held accountable for loss of data, Tripwire survey claims

Research from security threat detection specialist Tripwire has painted a revealing picture of those charged with securing business networks from cyber attacks.

One survey concluded that chief information security officers (CISOs) should bear responsibility for any data breaches, as other research pointed to an ongoing lack of confidence when dealing with cyber security issues.

Accountable CIOs

securityA Tripwire survey of 250 attendees at RSA Conference USA 2015 and BSidesSF 2015 in San Francisco found that despite the ongoing threat of cyber attacks to many organisations, most information security experts believe that the buck should stop with the C-level tech executives if any data breach actually takes place.

Most respondents (41 percent) said that the CIO, CISO or CSO should be held responsible in the wake of a data breach on critical infrastructure in their organisation.

But what about the top management, who actually control the purse strings and can authorise the spend on security? It seems that 18 percent of respondents said that the chief executive officer or CEO would be held responsible in the event of a data breach, and only 10 percent believe the company board would be held responsible.

“Cyber security liability is difficult to assign because you have to determine who knew about the risks, and then you have to figure out what they did, or did not do about them,” said Ken Westin, senior security analyst for Tripwire.

“If the CEO is made aware that of security risks and does not provide the resources or plans to fix them, they own some of the responsibility,” said Westin. “On the other hand, if the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of the responsibility falls on her. However, cyber security is a team sport that requires active support across the organisation and from all levels of the executive team.”

Confidence Gap

And it seems that the issue of cyber security is keeping executives on their toes, but there is a confidence gap for executives at Fortune 500 companies.

The Tripwire study was carried out by Dimensional Research and focused on how to improve the cybersecurity literacy of Fortune 500 boards and executives. It examined corporate executives’ view of cybersecurity risks, as well as measured their confidence and preparedness in the event of a security breach. Apparently 200 business executives and 200 IT security professionals at US companies with annual revenues of more than $5bn (£3.3bn) took part in the study.

And the study highlighted the uncertainty and lack of confidence among those charged with managing and protecting company computer systems from cyber assaults.

It found that C-level executives are less confident (68 percent) than non C-level executives (80 percent) that cybersecurity briefings presented to the board accurately represented the urgency and intensity of the cyberthreats targeting their organisations.

And the C-level executives are also less confident in the accuracy of the tools their organisation uses to present cybersecurity risks to the board.

“The lower level of confidence on the part of C-level executives reflects a sea change in the way that executives handle cybersecurity risks,” said Dwayne Melancon, CTO for Tripwire. “The good news is that this study signals that conversations are beginning to happen at all levels of the organisation.”

“I’m not surprised that C-level executives are less confident than their boards or IT executive staff,” added Melancon. “That lack of confidence comes, in large part, from the networking and informal benchmarking that takes place among C-level executives at the peer level.

“There is a lot of ‘comparing notes’ that happens between C-level peers. When this happens, you are able to get a more informed view of where you are in your overall cyber risk preparedness. This is in direct contrast to IT professionals who generally have a more insulated view of their own cyber risk, which can lead to a false sense of security. That difference in perspective – internal inputs vs. external inputs – may very well explain the confidence gap this survey highlights.”

Are you a security pro? Try our quiz!