Skip to main content

The security blame game: Who should be held accountable for a breach?

With the ever increasing threat of cybercrime knocking on one’s door, many large organisations are reliant on IT security teams to protect their vast network from attack. As many Chief Information Security Officers (CISOs) will attest, the larger the network, the more complicated the job. According to Gartner more than 95 per cent of firewall breaches will be caused by firewall misconfiguration, not firewall flaws.

Within large organisations there is the possibility of having potentially hundreds of firewalls, network switches and routers from numerous vendors with unpatched systems and various other network vulnerabilities, all of which can provide a route in for attackers. Misconfiguration of firewall rules and policies can pose a serious security threat, and constant diligence in patching firewalls, monitoring configuration and assessing the rule base is required to maintain security.

But what happens when a breach has occurred? Can an individual be held accountable, or is it fair to put the responsibility entirely on to your security team?

Who is accountable if the board doesn’t listen?

There is a wealth of information from every vendor offering opinion on the safest way to keep your organisation protected, yet very little is said about who should ultimately be held accountable should a data breach occur. Boardrooms and CEOs rely on CISOs and security teams for advice and guidance on security, and crucially have the control of budgets. Problems arise when security teams are held accountable for breaches, even if they have already highlighted the issue to the board, who subsequently decided not to take action on the advice.

In the eyes of the public, when a data breach occurs it is often the boardroom who must take overall responsibility, but other than the obvious financial losses and reputational damage, there is often very little individual internal accountability. Board members can improve internal accountability by requiring the business unit or mid-level managers to be directly responsible for projects which would require sign off on the security of new technology and systems they wish to introduce. This in turn means that the business unit must work with the security teams to actively identify risks within existing and new projects.

Ultimately this puts the security teams into an advisory role that would work alongside the business unit to report on the risks of current projects. It would require them to provide the visibility in to the impact that proposed changes to a network would have on the organisation’s overall security posture.

Blame is not the name of the game

Addressing the issue of internal accountability isn’t about apportioning blame to specific people or teams, but to highlight the need for one group to take ownership of security. Being directly responsible for security would make project managers more diligent about security concerns, and in the event of a breach, the entire organisation would be able to say that all the necessary steps were taken to reduce the risk of a cyber-attack.

By defining the roles and responsibilities within an organisation relating to accountability, security and project management teams can work together more effectively, allowing the organisations to function better, and improve the overall efficiency of security. By putting security teams in an advisory role, and removing the threat of them being held accountable for breaches allows them to provide unbiased, and subsequently, better risk management advice which will increase the overall security posture of the organisation.

Jody Brazil (pictured) is the CTO and founder of security firm FireMon

Jody Brazil
Jody Brazil is Co-Founder & Chief Product Strategist at FireMon, the industry leader in intelligent security management. Jody developed the first product for FireMon in 2001 and has gone onto develop and create new effective security measures that can scan, simulate, evaluate and protect even the most complex of networks.