Who’s Responsible for Cybersecurity? Industry Searches for Clear Answers

We’re now living in what has been called the “era of the mega breach.” Globally, businesses are estimated to lose $445 billion annually due to cybercrime, according to the Center for Strategic and International Studies. What’s more, the overall threat landscape has evolved significantly with respect to the frequency, maliciousness and sophistication of attacks. And, yet—despite this reality—companies are still struggling with responsibility for data breaches. Two recent studies expose the issue.

“We’re Not Responsible,” Say CEOs

A recent study conducted by Tanium and Nasdaq, Accountability Gap: Cybersecurity & Building a Culture of Responsibility, found that some CEOs are unwilling to take responsibility for cybersecurity. What’s more, the majority of respondents (90%) said their companies have a medium-to-high level of cybersecurity vulnerability. The findings paint “an alarming picture” of a worrisome accountability gap, said Tanium and Nasdaq.

“I think the most shocking statistic was really the fact that the individuals at the top of an organization—executives like CEOs and CIOs, and even board members—didn’t feel personally responsible for cybersecurity or protecting the customer data,” Dave Damato, chief security officer at Tanium, told CNBC. “As a result they’re handing this off to their techies, and they’re really just placing their heads in the sand.”

Board Members Say CEOs Responsible

Another study, conducted by the New York Stock Exchange (NYSE) Governance Services and Veracode, Cybersecurity in the Boardroom, found that boardrooms are shifting responsibility for data breaches from CIO, CISO, and IT security team to CEOs. “Responsibility for attacks is being seen as a broader business issue,” stated the report.

Today, board members view cybersecurity through a financial lens. Brand damage, breach cleanup costs, and theft of corporate intellectual property were the top three worries. Brand damage was the biggest concern, named by 41 percent of directors. Another 47 percent were equally split between theft of corporate intellectual property such as strategic plans and proprietary designs and the total cost of responding to a breach such as cleanup, lawsuits, forensics and credit reporting costs.

Corporate Cybersecurity Governance Needed

The findings of the two studies are particularly surprising in light of the growing concern for cybersecurity to be addressed at the highest levels of an organization. That was the focus of a “Cyber Risks and the Boardroom” Conference held at the New York Stock Exchange in 2014. In his address to attendees, Commissioner Luis A. Aguilar, made a case for greater corporate governance of cybersecurity and proposed that organizations take proactive steps, including adopting a security framework.

“Given the known risks posed by cyber-attacks, one would expect that corporate boards and senior management universally would be proactively taking steps to confront these cyber-risks,” stated Aguilar. “Yet, evidence suggests that there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.”

Aguilar recommends that organizations adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as it provides organizations with a set of industry standards and best practices for managing cybersecurity risks. “In considering where to begin to assess a company’s possible cybersecurity measures, one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the NIST in February 2014.

At Clearwater Compliance, we would be happy to assist your organization implement and/or mature your cybersecurity and information risk management programs. Let’s start the conversation today!



Clearwater Compliance

Clearwater Compliance helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.