The answer to the question ‘Who is responsible for cyber security in an organization?’ is debatable. It ranges from
–everyone, because it can touch every member of the enterprise;
–the CISO or equivalent — who oversees the implementation of corporate strategy;
–the CEO, who hires the infosec leader;
–or the board of directors, which sets the tone for the organization and the risk strategy.
Most experts say it lies with the board. Which means the directors should be asking pointed questions to the C-suite. In a column this week Ted Pretty, CEO of data discovery maker Covata suggests six.
1– Which threats does the organization face?
2–What motivates the attackers?
3–What would the impact of a breach be?
4–How likely is a breach?
5–What’s our current level of risk?
6–How do we reduce that level?
Let’s take a few of these:
Considering the number of incidents network administrators face every day (an incident being defined as everything from a probe to spam to an actual bypass of defences) infosec pros can answer the first question with, ‘Every cyber threat known to mankind.’ That isn’t what the board needs to hear. It should want to know realistically who might have the company in its sights. Criminals after personal information? Competitors or nation states after intellectual property? Activists who don’t like the company’s stand on an issue or the country where it does business?
The impact of a breach can be difficult to calculate. There are a number of reports from firms ranging from the Ponemon Institute to security vendors to industry analysts. All are valuable, if not quite precise. The cost to a company’s reputation is also a variable. What the board wants to hear from all of this is a reasonable, defensible calculation.
Arguably, most important for the board to know is the current level of risk, which can only be determined by scoring the organization’s security maturity — no small a task.
Bottom line: As an infosec leader are you prepared now to answer these questions?