November 21, 2018
Whenever any organisation suffers from a cybersecurity attack, the blame is laid onto every single person associated with the breach, yet no actions are taken proactively to prevent such occurrences for the future. This often comes down to a lack of accountability in the organisation. We have seen this with federal agencies of the USA where there is a particular dearth of people who accept accountability in the organisations, and this has led to untenable situations.
The high profile cybersecurity attacks and loopholes also demonstrate that this lack of accountability is the primary cause of the increasing anomalies around the subject. To be more specific, this is a clear case of non-cohesive top managerial roles.
A recent post published by Warwick Ashford clarified the situation is a global problem and that the “narrow gap between CEO, CIO and CISO roles mean no single executive function is stepping up to take responsibility for cybersecurity”.
This conclusion has also been reinforced by the findings of the ‘2018: Risk Value’ report by NTT Security. According to the report, 19 to 20 per cent of respondents have agreed that the role of cybersecurity risk management comes into the scope of CISO and CEO responsibilities, whilst 22% affirmed that it is, in fact, the job of a CIO.
This global average of job expectations, however, varies from the statistics from country to country. For example, in Singapore, the highest per cent of the respondents, 33%, have stated that it is the primary job of a CISO to evaluate and make decisions on day-to-day security.
It can be said that it is this disagreement and confusion of the roles and accountability that poses the biggest effect on companies’ cybersecurity risk management capabilities. Another conclusion that comes out of this finding is that creating a complete workforce of security experts is not going to be of much help unless the accountability of the role is explained properly in organisations.
Whether it is the recent high profile data breach attacks or the pressure of high penalties through GDPR, most companies have shown their concern over the possible data breaches with their companies and the effect it will have on their profile. The report further explains that 56 per cent of respondents have said that they are most afraid of losing customers’ confidence whilst 52 are concerned about the damage such cases may cause the brand. Many other concerns such as losing market share and competitors taking their business make companies worry about the prevailing and potential cybersecurity threats that can also be traced back to these primary fears.
The report brought light to yet another worrying concern that almost half of the business decision-makers have shown confidence in their existing security setting despite not having any certain proofs for that. Additionally, one in three companies have also stated that they do not expect to suffer data breaches in near future.
It is clear that if we really wish to prepare for a world where more and more devices will be connected to each other and the threats of psychological manipulation will only increase thanks to personalised targeting becoming easier with machine learning, it has become crucial to assign accountability to organisations. This will be just as vital as setting the right foundations after which other issues such as a lack of trained resources, and ambiguous expertise can be handled with greater ease.
Resources:
https://www.computerweekly.com/news/252452346/Firms-lack-responsible-exec-for-cyber-security
https://www.nttsecurity.com/en-uk/landing-pages/risk-value-2018