One thing most organisations don’t seem to be able to agree on is who's responsible for cybersecurity. Does the CIO see their main responsibility as keeping the lights on and making it all work? If you have a CISO, do they feel that their agenda is sometimes at odds with a CIO who needs to balance the budget? Would your HR team accept that security awareness is the responsibility of the team that writes the HR manual? Can you find one person who agrees that the responsibility for cybersecurity lies firmly at their door? The answer is likely to be no!
Senior executives and boards increasingly understand that cybercrime is an issue that requires executive input. In many ways, the board needs to take as much responsibility for the company’s execution of cybersecurity as it does for financial performance. The problem is that many boards still don’t really get it – and keeping up with the rapidly-evolving world of security is a challenge. It’s important that the board sees its responsibility as prioritising cybersecurity and ensuring the right procedures are in place and adequately funded within the business in order to move to a state of lower risk.
In order to better control cybersecurity, organisations need a champion who sits outside IT. A CISO perhaps, with an independent role and a budget they control themselves. However, what’s not so clear is where the CISO function sits within the organisation, or how autonomous this function should be.
So should security be a function in its own right? Maybe it's a small team headed up by a CISO, with a dotted-line relationship with security champions in other functional teams? Or maybe it could be valuable to have a combination of a CIO/CISO working with a third party expert with advanced security capabilities to better plan and manage security for the organisation.
To find out more about responsibility in cybersecurity, please read our full In View on ‘Cybersecurity. Who’s actually responsible?’