Security leaders at this month’s Enterprise Cyber Security conference in London revealed strategies for embedding best practice security across their organizations – but questioned which role actually owns cyber risk.

A range of cybersecurity professionals addressed the Whitehall Media event from the financial services, retail, public sector, charity and education sectors, covering topics including deterrence, compliance, artificial intelligence, mitigating risk and culture.

The data privacy and information security officer at a multinational retailer described how he’d developed a matrix of privacy champions mapped against key areas to protect (eg customer, employee, supply chain) – driving privacy through the organization from senior data owners, through workstream owners and steering groups down to individual employee champions who are empowered to encourage best-practice in each of their teams. The power of grass-roots best practice was reinforced by a later speaker from the financial services sector. 

A broad range of evidence now suggests that employee awareness of cybersecurity issues continues to increase. In the USA, the National Institute of Standards and Technology (NIST) is bolstering this further by publishing extensive advice regarding how each function (from leadership to sales, marketing, HR and finance) can help keep its organization secure.

This increased awareness is great to see. Yet speakers at the Enterprise Cyber Security conference questioned who is ultimately responsible for managing and mitigating cyber risk.

This uncertainty was revealed by NTT Security’s research of businesses for its Risk:Value report 2018. The research showed that businesses believe that day-to-day responsibility for cybersecurity belongs with one of five very different roles: chief information officer (CIO), chief information security officer (CISO), chief operating officer (COO), IT director or even the chief executive officer (6% of businesses believe cybersecurity responsibility sits somewhere else entirely, and 8% don’t know). 

There is indeed confusion within organizations that will interfere with setting acceptable risk levels and making risk mitigating decisions.

Furthermore, our research showed that a shocking 43% of businesses believe that cybersecurity is just a problem for the IT department – highlighting that while most employees are better informed on cybersecurity issues, they don’t always take responsibility.

As principal analyst at the Information Security Forum and now Ovum research director Maxine Holt wrote in Computer Weekly: “People are an organization’s biggest asset and also potentially its biggest risk… how these people take decisions and behave in key moments are essential factors in strengthening resilience”.

Identifying the owner of business risk and cyber risk is an essential first step.