Updated: May 16
The Gaps In Cybersecurity Risk Ownership The increased occurrences of cyberattacks on businesses through their suppliers has highlighted the need for proper ownership and accountability of cybersecurity risks. Many organizations face a gap in responsibility between the IT Security Manager (ITSM) role and the C-level executives, which can result in a lack of awareness and action towards cybersecurity risks. This ownership gap can leave companies vulnerable to information security breaches, both internally and through third parties which can damage the reputation of the organization and ultimately impact share price. Accountability
At the top of the accountability chain, the board of directors holds the ultimate responsibility for ensuring that an information security breach does not negatively impact the company's share price. In turn, the CEO is operationally accountable for the cybersecurity risks in the organization. Responsibility Other C-level executives are responsible for the cybersecurity risks in their respective areas, and it is crucial to understand their risk exposure. Where there is one, the Chief Information Security Officer (CISO) is responsible for communicating information security risks to the other C-level executives and the board. The CIO is responsible for information security risks related to ICT systems, while the ITSMs are responsible for addressing information security risks of the ICT systems. The First Gap(s) If there is no CISO role being performed the responsibility of delivering information security defaults to the CEO. If the CIO is made responsible for reporting risk contained in ICT there is a potential lack of expertise and conflict of interest. The areas outside of ICT often have control over information on internal and external systems that they manage themselves without having the skillset to report of the risk that this information is bringing to the company. It is important to note that information security is not limited to company ICT systems. It encompasses all areas of company data, for example the information controlled by Finance, Legal, Sales and HR and the suppliers they use. Often these third parties are not in the sight of CIOs or ITSMs and they are not able to influence the Cybersecurity being applied to them. The Second Gap Third parties and suppliers are often responsible for some of the information security controls applied to company data, shared with them such as physical security, hardware, virtual environments, operating systems, some application security, and part of the access controls. The company is responsible for assuring these responsibilities are being delivered. However, the company using the service is still responsible for aspects such as application configuration, access controls, access management, cybersecurity incident response, monitoring for security events, cybersecurity awareness of users, and employee background checks. It is also vital to remember that companies cannot outsource their accountability, having insurance and contracts is not enough. Ownership The ownership gap in responsibility for cybersecurity risks is a significant issue that needs to be addressed by companies. ITSMs are not responsible for information security for the whole company, and the C-level executives may not be aware that this responsibility falls on their shoulders. Ultimately, the buck stops at the CEO and board's door, and it is crucial to close this gap to ensure proper ownership and accountability of cybersecurity risks. By doing so, companies can take the necessary steps to protect themselves against information security breaches and safeguard their reputation and share price. Addressing The Two Gaps in Three Steps. Step 1: Formally allocate the responsibilities of the CISO role to individuals or a single individual with direct Risk reporting lines to the CEO. This includes owning an continuous security improvement program and reporting on information security risk across the organisation.. Step 2: Ensure the security policy is comprehensive, signed off by the CEO, and applied through out the organisation. Educate employees of its existence and their responsibilities as part of the security awareness program. Step 3: Ensure that all aspects of cybersecurity management is being carried out appropriately where third parties are engaged, for example access management to Facebook accounts. Manage your suppliers/third parties and perform cybersecurity due diligence on all your suppliers that you share information with. Ensure that you are fully across any risks that they may bring, be aware of fourth party risks, and changes in risk profile. Help suppliers improve their cybersecurity. Trudexia With Trudexia, you can easily manage all your suppliers and perform thorough cybersecurity due diligence on all your information-sharing partners. Move away from ad hoc and piecemeal approaches, and embrace continuous assessment of all your suppliers to improve their cybersecurity performance. Trudexia allows you to customize your approach to ensure that all risks are effectively managed. Improve suppliers security with automatic action plans and continually assess, monitor, and report on their performance.