Ten years ago, the role of Chief Information Security Officer (CISO) was simpler. Today it has been transformed beyond recognition, shaped by the radical evolution of cybersecurity. While recent regulations such as the EU’s Digital Operational Resilience Act (DORA) and the new SEC rules have shifted responsibility to the board, in the worst case scenario the burden often falls on one person: the CISO.
This weight cannot be fully borne by a ‘Chief Incident Scapegoat Officer’. Instead, CISOs should drive security accountability across the organization.
Security product expert at Panaseer.
Increasing CISO struggle
New regulations such as DORA, SEC disclosure rules and NIS 2 underscore the board’s responsibility for security risks. But despite this, CISOs are increasingly facing legal consequences for violating cybersecurity and privacy policies – including the recent charges against current SolarWinds CISO Timothy G. Brown.
With 86% of organizations blaming security breaches at the door of the CIO, CISO or equivalent, according to Gartner, the real challenge is spreading accountability throughout the organization. With 5,360 breaches disclosed so far this year, it is critical to understand who is responsible for cyber risk and everyone’s role in maintaining strong security policies. Therefore, the CISO must ensure they foster a strong security culture and provide hands-on training across the company.
As the most prominent figure responsible for cybersecurity, it is common for the CISO to become the scapegoat when something goes wrong. However, the real problem lies in clarifying responsibility. As people are responsible for more and more devices, applications and accounts, the challenge of assigning responsibility becomes increasingly complex. Incomplete inventories make it harder for companies to see who is responsible for what, and the lack of a centralized hub or single source of truth exacerbates this problem, making it harder for security leaders and IT teams to operate effectively.
With the rise of regulations emphasizing governance – and the expansion of frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 that introduces a new key governance function – it is critical that everyone understands his responsibility in the company. By prioritizing governance, organizations can establish clearer lines of responsibility, improve the overall security posture and reduce the risk of individuals like the CISO being unfairly blamed.
Positive safety culture
Discussions about cybersecurity responsibility often focus on blame. However, building a strong cybersecurity culture goes beyond pointing fingers at employees for missing phishing emails or using weak passwords. Cybersecurity departments should be seen as partners of broader business units, just as IT is. This requires introducing collective responsibility and proactive measures throughout the organization. Adopting a fix-first mentality is key, creating an atmosphere where everyone supports cybersecurity and recognizing that incidents are rarely the result of one person’s actions.
Like security posture management, cybersecurity responsibility can be approached actively or reactively. An active approach involves proactively looking for ways to improve security. For example, by asking ‘what should we do to improve our safety position?’ – instead of ‘who isn’t doing their job well’? Likewise, in reactive situations, the emphasis should be on learning from problems, rather than initiating a “who’s to blame?” witch hunt.
As governance-focused cybersecurity regulations increase, taking a positive proactive stance is particularly important. Regardless of your role, understanding and prioritizing governance ensures better alignment with business objectives and reduces the burden of reactive security. Embracing a positive and supportive mindset promotes a culture of accountability throughout the organization.
By encouraging individuals to take responsibility for cybersecurity, organizations will see improvements in their overall security management. Cybersecurity teams must help everyone in the organizations understand their contribution to the posture – and to the overall governance. This shift not only mitigates the impact of incidents, but also promotes a resilient and safety-conscious organizational culture.
Become the people’s champion
To drive a positive security culture, companies need regularly updated asset inventories, controls, and a comprehensive security knowledge base, which together act as a single source of truth. This provides a real-time snapshot of safety policy compliance, highlighting strengths and identifying areas that need attention. Only by leveraging data from existing security tools can this single source of truth give all stakeholders a clear view of the data journey and ensure it is trustworthy.
This approach not only helps prioritize tasks, but also sheds light on responsibilities within the security team. By increasing responsibility, the CISO becomes a key player impacting the broader business landscape. Here, the single source of truth ensures CISOs can confidently deliver on the agreed-upon responsibilities of specific functions. For example, when CISOs look at a server, they can identify and prioritize any problems with it, figure out who is in charge of it, and find other devices managed by the same person that may be at risk.
With widespread visibility into the security posture across the enterprise, CISOs can effectively drive accountability and improve security. This is achieved not only by promoting a safety culture, but also by implementing training – which is now mandatory for some companies due to DORA – and something that would be good to disclose in any regulatory filings.
Breaking the blame game
With so much focus on cybersecurity responsibility, there is an opportunity to change the culture of blame that often overshadows security posture management. Responsibility for cybersecurity must become a collective effort involving every employee in the organization. Everyone must have a fundamental understanding of threats and preventive measures.
CISOs need tools that help them promote good security posture and prioritize actions to improve management. Only then can they increase security accountability across the organization by identifying asset owners and who is best placed to make these improvements.
We’ve highlighted the best business VPN.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro