Where does the buck stop when there’s a security breach?

So your company network is compromised and there’s a security issue. Who’s responsible, the IT specialists? The board? According to research from BAE Systems, mostly each thinks the other is where the buck stops.

The figures break down as a third of C-suite directors thinking the IT team is responsible for IT security, while 50% of IT professionals think it’s within the purview of the board. Call us old-fashioned, but we’d welcome a bit of co-operation.

So we asked some of our contacts, both in the UK and the US, what they thought.

Business bodies

The first thing to make clear is that everybody we asked was more comfortable with the idea of prevention than fixing a problem after it had caused damage. Oliver Parry, head of corporate governance at the UK’s Institute of Directors, was among them. He said:

As with other principal risks to a business, responsibility of outlining this [prevention] strategy should fall with the board. It is crucial that executives understand the importance of having non-executive directors with a digital background.

It doesn’t stop with the board, though, he added:

Lasting cybersecurity only comes from embedding good practice throughout the culture of an organisation, starting from the top. No system or person alone can prevent indefinitely the threat of a cyber-attack. With human error invariably the most obvious vulnerability, it is training and awareness that should be the focus of an organisation’s efforts, rather than pre-emptive work to ensure somebody else gets the blame.

Tom Thackray, director of innovation at the UK’s CBI, concurred:

From talking to businesses across the country, it’s clear that cybersecurity isn’t just an issue for the tech team, or one member of the board. It’s a cross-business, joint effort. Executives need to be able to ask the right questions about cyber security in order to get the best out of their teams, but ultimate accountability will differ depending on the size and type of organisation.

In the US, the National Association of Corporate Directors (NACD) directed us towards its freshly minted publication from last month, Cyber Risk Oversight in its Directors’ Handbook. This points to a guideline from the National Institute of Standards and Technology, developed under an executive order from President Obama, aimed at public-service entities but which can be adopted by the private sector voluntarily. It is available here in its entirety but the bottom line is that it takes a step by step methodical top-down approach, starting with risk assessment.

The handbook also has an extensive section on the relationship between the board and the chief information security officer (CISO). It offers detailed breakdowns of how to make this best practice happen:

Many board members now seek to establish an ongoing relationship with the CISO, and include the security executive in discussions about cybersecurity matters at full board and/or key committee-level meetings.

Team effort

Nobody is doubting the veracity of the BAE Systems data, but one of the features of asking a polarised question about who’s responsible in a crisis is that you’ll get a one-or-the-other answer. Our totally unscientifc findings, based on our small handful of people we spoke to, suggest that in the real world people have a more constructive, less us-and-them view of how to handle a security crisis.