Even just 10 years ago, the chief information security officer (CISO) role was more straightforward. Much has changed over that time, and radical changes to the threat landscape have forced the CISO to evolve.
New regulatory shifts have also added another layer of complexity, with the EU’s Digital Operational Resilience Act (DORA) placing added scrutiny on any third-party suppliers, and new SEC rules requiring that listed companies must report a material cybersecurity incident within four days. In both regulations, boards have been made to take on more accountability for cybersecurity. But the ultimate burden often falls on a single individual: the CISO.
However, it’s unsustainable for our industry to rely solely on a “chief incident scapegoat officer” to keep an enterprise safe. The task has become too large a responsibility for just one person. Instead, CISOs must spearhead accountability for security posture throughout their organization.
The CISO’s challenge
The stakes have been raised by regulators. From DORA and NIS 2 in the EU, to new SEC disclosure rules in the United States, we see a clear message. Boards are accountable for security risks. But it’s CISOs who face legal consequences for cybersecurity and privacy policy breaches, not the board in its entirety. The recent charges against SolarWinds's CISO, Timothy G. Brown, are a prime example of this new trend.
Gartner reports that 86% of organizations attribute security breaches to the CIO, CISO, or similar position. But we should distribute accountability across the entire organization, not just to one individual at the top. This year alone has seen 5,360 publicly disclosed breaches, and understanding responsibility for cyber risk and every single person’s role in maintaining robust security is vital. CISOs should prioritize developing a solid, companywide security culture which includes comprehensive training to help to distribute accountability.
Despite enterprises often comprising of thousands of people, with many more thousands of machines, the CISO often gets scapegoated when there’s a breach. While they are ultimately responsible for cybersecurity, the crux of the issue lies in clarifying responsibility. Modern networks are hugely complex, with individuals managing more devices, applications, and accounts. Assigning ownership to this deluge of assets has become incredibly challenging for CISOs. Incomplete inventories hinder them from identifying who’s accountable, and the absence of a centralized hub or single source of truth only makes matters worse.
Ensuring that everyone in an organization understands their role in security will be vital as cybersecurity regulations that put governance firmly in the spotlight proliferate, and frameworks like NIST Cybersecurity Framework (CSF) 2.0 introduce a new key “Govern” function. Organizations must make governance a priority because it lets organizations establish clearer lines of accountability, bolster overall security posture, and relieve the burden of sole responsibility from the CISO.
Foster a positive security culture
Cybersecurity accountability discussions often devolve into blame games. However, building a robust cybersecurity culture goes beyond pointing the finger at employees for lapses, such as clicking phishing links or using weak passwords. IT departments are perceived as partners to the wider business, and we need to view cybersecurity in the same way. This requires collective responsibility and proactive measures across the organization.
Security incidents rarely stem from a single person's actions, so learning from incidents and ending the witch hunt for a responsible party must end. It’s crucial we adopt a fix-first mentality, changing perceptions of cybersecurity from a solo team effort to a companywide one.
Given the increasing emphasis on compliance, the industry must take a proactive approach. Each individual needs to have an understanding of how governance aligns with business objectives, regardless of their position. Encouraging individuals to take ownership of cybersecurity will help to improve overall security posture management.
Cybersecurity teams must help everyone to recognize their role in cybersecurity posture. This shift promises to reduce the blast radius of incidents, and also cultivates a resilient and security-conscious organizational culture.
Empower individuals for collective safety
To instil a positive security culture, businesses need to update their asset inventories and control mechanisms regularly, combining this with a comprehensive security knowledge base. This will help to create a single source of truth: a real-time snapshot that aids in policy adherence, identifying both strengths and areas requiring attention.
Creating this centralized hub can aid in task prioritization, and it will also shed light on the security team's responsibilities and where they do need to take action. By enhancing accountability, the CISO becomes a pivotal figure in influencing others. Armed with this data, CISOs can confidently portray security ownership. For instance, when examining a server, CISOs can pinpoint and prioritize any issues, determine the responsible party, and identify other devices managed by the same individual that are potentially vulnerable. They can then work with that person to improve security by optimizing security tooling, or deploying additional solutions if needed, helping to plug potentially critical gaps in security.
By fostering a comprehensive understanding of the security posture throughout the organization, CISOs can effectively enforce accountability and bolster security measures. A security-centric culture will certainly help to achieve this, but CISOs also need to implement training programs, which are now obligatory for certain firms as part of DORA.
With increasing emphasis on cybersecurity accountability, there’s an opportunity to change the blame culture overshadowing security posture management. Right now, CISOs need tools that will let them promote positive security posture and prioritize actions for improvement. Only then can they drive accountability for security across the organization by identifying asset owners and actioning improvements effectively.
This will help to reduce the chances of a successful attack against organizations and could save CISOs from facing charges personally and equally important, save the organization from stiff penalties from the regulators.
Nick Lines, security evangelist, Panaseer