Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
Executive management is ultimately accountable for controlling risks. Executives must explain why major security breaches occurred. They must rebuild trust with the public. They also have to rebuild confidence with shareholders and regulators.
To be accountable means to face consequences for failure to act. Some organizations find it difficult to apply consequences to top leadership. Worse yet are organizations that identify so many leaders as accountable that, for all practical purposes, no one is accountable.
As a result, not all organizations are capable of holding their leaders accountable. Accountability can come from external forces such as:
- Public opinion—This can turn against a company, leading to a loss of trust that damages or even destroys it. This can damage an organization’s reputation.
- Shareholders—Vote and are active at the shareholder level
- Regulators—Hold the organization accountable for violation of law
- Courts—Hold executives personally accountable
Executive management is ultimately responsible for ensuring that data is protected. That means executives are accountable for selecting key leaders such as the CISO. It also means they need to support the security program. This support includes proper funding, removing barriers, and providing visible support. All levels of management are held accountable to ensure the security program is understood and properly implemented.
This support also means defining clear roles and responsibilities for implementing security policies. Employees are responsible for understanding their roles and the security policies. They are accountable for following those policies.
The organization holds much of the liability. The organization is ultimately in control of the data. There’s an obligation on the organization’s part to hire competent staff. It’s also the organization’s obligation to give this staff appropriate resources, training, and supervision. Employees can still be held liable for violation of the law. Employees can be prosecuted for illegal acts, but often it’s the organization that is ultimately held accountable. It’s executive management that is held accountable for allowing such acts to occur.
The information security organization plays a key role in controlling risk. It is accountable for identifying risks, threats, and vulnerabilities. Many times, it’s the IT organization that executes assessments. The IT teams also implement mitigating solutions. The information security organization is a subject matter expert (SME). It is often responsible for establishing the policies and procedures to be executed by the IT teams. The teams also review the assessment results.
Where Must IT Security Policy Enforcement Come From?
Multiple layers in the organization enforce security policies. Everyone has a role to play in identifying and managing risks. The following is a sampling of key roles to enforce security policies:
- General counsel—Enforces legally binding agreements
- Executive management—Implements enterprise risk management
- Human resources (HR)—Enforces disciplinary actions
- Information systems security organization—Enforces security policies at a program level
- Front-line manager/supervisor—Enforces security policies at an employee level
This is not a comprehensive list. For example, the general counsel works with law enforcement to prosecute employees who violate the law. The key point is to notice that every layer of the organization enforces security policies. Enforcement is not a single team’s responsibility.
FYI
Although enforcement of security policies may align with different layers of the organization, ultimate accountability for identifying and escalating security noncompliance lies with the chief information security officer (CISO). The CISO “owns” the information security program (and related controls) across the enterprise. If the policies and controls are not effective, the CISO must escalate the matter to senior leadership. Senior leadership must enforce security policies through the CISO’s guidance.
The general counsel enforces legal binding agreements. This enforcement takes the form of dealing with opposing legal counsel or filing lawsuits on the organization’s behalf to resolve contract disputes. This includes agreements with vendors and outsourcers. The legal department is involved when the contracts are first written. These contracts often define the security policy to be followed. Ideally, any concerns with these contract policies are quickly resolved without involving the legal department; however, when security policy issues cannot be resolved, then the legal department is called. The legal department can either enforce the contract or terminate it. In extreme cases the department can file a lawsuit to recover damages due to the breach of contract. Regardless of the remedy, ultimate enforcement of legal provision falls on the legal department. Beyond this role, general counsel provides legal advice to management on writing and enforcing policies internally.
Executive management often focuses on implementing enterprise risk management. Executive committees (ECs) exist in many organizations. The EC brings multiple lines of business together to resolve strategic business issues. This is also true for enterprise risk management. The approval and enforcement of security policies is an EC responsibility. When two or more executives have differing views on security policies, the CISO tries to facilitate a solution. When the solution cannot be found, often the issue is brought to executive management through the EC. It is this committee’s role to enforce security policies at the enterprise and executive level.
HR is a key player in the enforcement of disciplinary actions. The HR area defines the processes to discipline employees. These processes are one tool for enforcing security policies. The discipline could be a simple coaching session or a formal warning. Many HR teams have specific guidelines to be followed. This ensures security violations are handled in a consistent and fair manner. The visibility of a fair process is important in encouraging appropriate behavior.
The information systems security organization enforces security policies at a program level. The team is accountable for identifying violations of policies. It also needs to bring violations to the attention of management. Keep in mind that employees do not report to the security staff. Employees receive direction from their own management. The security staff is not a corporate police officer enforcing policies as corporate law. This perception is exactly what a security team should avoid. Security teams report risks. They also report facts on incidents. It is the employee’s management that takes appropriate action.
The front-line manager/supervisor enforces security policies at an employee level. These individuals represent the employee’s chain of command. It is these individuals that are responsible for the employee’s day-to-day work. This includes ensuring that employees follow policy.