The Buck Stops There: Who is Ultimately Responsible for a Security Breach?

“If ignorance is bliss, there should be more happy people.” ― Victor Cousin.

And if the data in the recent Websense/Ponemon report is true, there should be a lot more happy people in IT security. It is not a pretty picture. Here are some examples of the key findings of the 4,881 IT and IT practitioners in 15 countries surveyed:

– Less than half of the respondents (41 percent) believe they have a good understanding about the threat landscape facing their company.

Only 37 percent of respondents could say with certainty that their organization lost sensitive or confidential information as a result of a cyber attack.

Thirty-five percent of those who had lost sensitive or confidential information did not know exactly what data had been stolen.

Add to this the fact that 57% do not believe their companies are protected from advanced cyber attacks and that only 26% agree that it is possible to protect against all cyber attacks, and you end up with the feeling that most IT departments are fighting off the back foot. But beleaguered IT departments are not only fighting external threats. Internal obstacles to security are equally daunting. IT departments are finding it increasingly difficult to communicate the seriousness of such threats to company executives. “Eighty percent of respondents say their executives do not believe that the loss of their organization’s confidential data could result in a potential loss of revenue.” As the study points out, “this is in contrast to recent Ponemon Institute research, which indicates that data breaches have serious financial consequences for organizations. The average cost per lost or stolen record due to a data breach is $188 and the average organizational data breach cost is $5.4 million.”

The first set of data indicates that IT departments are under increasing pressure to protect company data while the second set of data indicates that they cannot adequately communicate these threats to management. The result must certainly mean a lot of frustration in IT departments. It seems that management assumes that the IT department can solve any problems that arise and expects them to do just that. In other words, if someone is going to get fired as a result of a security breach, it will be the CIO, CSO, CISO or “that guy in the IT department.”

In such an environment, one question stands out. If you are an IT department manager and detect a security breach, do you tell company executives? If you knew that they would not understand the nature of the breach and expected you to solve the problem, wouldn’t they blame you for not preventing the breach in the first place? Wouldn’t it be better to solve the problem on your own and only tell management if you could not do so? Of course, such a confession would likely be akin to announcing your resignation. Maybe this is why the average lifespan of a security officer is 6 years.

If there is one thing we learned from the Target breach, it is that cooperation among the CEO and CIO is expected by board members. True, the CIO was fired first, but the CEO followed two months later. Target is now in the process of hiring a CISO (Chief Information Security Officer) to keep a closer watch on security issues. However, it remains to be seen if this move will solve basic communication problems. Certainly there is a degree of PR behind this. It makes it look as if the company has increased its concern about security. However, if this is only a PR move and a way to put a firewall between security and the CEO, then, no lesson has been learned.

Security breaches will occur in the best protected organizations. In Target’s defense, few companies could have survived such an oblique attack as the one they experienced.  This attack began by spear phishing a heating company that worked with Target. However, a Wall Street Journal report said that the company was warned about the attack at least two months before it took place. If this is true, then either management did not take the threat seriously, expected it to be sorted out by the IT department, or, more likely, both.

For good security to work, there needs to be good communication between security and management. Management must understand that risk comes with security and that no system is foolproof. If security officers live under the shadow of termination, communication will be undermined and novel, possibly improved, approaches to security will be dismissed because they would be considered too risky.  As Juniper Network’s security chief, Nawaf Bitar, pointed out at the last RSA conference, “every new technique deserves scrutiny. Every bad idea needs to be challenged, but we must be careful not to dismiss too quickly, for it is the incomplete and partial solutions today that will lead to the breakthroughs of the future.” So who is ultimately responsible for a security breach? As Joel Brenner learned, when he tried to find an answer to this question, managers, no matter in what department they work, will always point to some other person or department.  In fact, they are all right. The goal of every organization should be to make security a team effort: a war that everyone plays a part in. Just as in any war, when security fails, then everyone loses. Security is a management, corporate culture, and, most importantly, a leadership issue. Anything short of a full commitment to security will eventually be exposed. Security will never be 100% guaranteed, but there is no reason this should not be a guiding ideal.
WorkPlay Technology Logo
When Security is a Priority

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s