RSA survey: CISOs bear brunt of data breach responsibility
Tripwire, Inc., a Portland, OR-based global provider of advanced threat, security and compliance solutions, announced on May 1 the results of a survey of 250 attendees at RSA Conference USA 2015 and BSidesSF 2015 in San Francisco, CA.
In spite of pervasive vulnerability to devastating cyber attacksacross a broad range of industries, information security experts attending two of the industry’s leading conferences believe that C-level technology executives would and should be held responsible for data breaches, according to the survey.
When asked, “Who would be held responsible in the wake of a data breach on critical infrastructure in your organization,” 41 percent of survey respondents said “CIO, CISO or CSO.” When asked, “Who should be held responsible in the wake of a data breach on critical infrastructure in your organization,” 35 percent said “CIO, CISO or CSO.” Only 18 percent of respondents believe the chief executive officer would be held responsible and only 10 percent believe the company board would be held responsible.
“Cyber security liability is difficult to assign because you have to determine who knew about the risks, and then you have to figure out what they did, or did not do about them,” said Ken Westin, senior security analyst for Tripwire. “If the CEO is made aware that of security risks and does not provide the resources or plans to fix them, they own some of the responsibility. On the other hand, if the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of the responsibility falls on her. However, cyber security is a team sport that requires active support across the organization and from all levels of the executive team.”