Four out of ten security professionals believe that data breaches would land at the door of CISOs, CIOs and CSOs rather than CEOs, an impromptu survey of attendees at the recent US RSA Conference has found.
According to security firm Tripwire, 41 percent of the 250 security pros offered that response when asked who would be held responsible for data breaches, with a slightly lower 35 percent believing this job title should be held responsible.
As for the CEO, only 18 percent believed this job role would be handed the blame with a further 10 percent suggesting the entire board would be on the block.
“Cyber security liability is difficult to assign because you have to determine who knew about the risks, and then you have to figure out what they did, or did not do about them,” said Tripwire senior security analyst, Ken Westin.
“If the CEO is made aware that of security risks and does not provide the resources or plans to fix them, they own some of the responsibility.
“On the other hand, if the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of the responsibility falls on him/her,” he said.
The recent evidence from US firms is that the consequences for board members depend on the seriousness of the breach. Big breaches – for example last year’s Target breach – seem to result in resignations of both CIO-level board members but also CEOs. On that occasion both CEO Glenn Steinhafel and CIO Beth M. Jacob resigned. Nobody escapes blame.
In the case of Sony, it was chairwoman Amy Pascal that ended up losing her job but that was more about the embarrassing nature of her emails than as a result of the breach itself.