Who 'owns' cyber security?

Ahead of Cyber Security Live later this month, Nic Fearn asks: With cyber crime rocketing, who in your organisation should have ultimately 'ownership' of IT security?

One of the biggest challenges facing organisations today is cyber crime, with one cyber attack launched every minute on companies and public sector organisations across the UK, according to research from telecoms consultancy Breaming. The volume of attacks has grown by 122 per cent in the past year alone.

Furthermore, the global costs of cyber crime are going through the roof. Cybersecurity Ventures forecasts that damage caused by cyber crime will cost $6 trillion globally by 2021, up from $3 trillion five years ago.

As a result, there's growing pressure on organisations to take appropriate steps to protect themselves from cybercrime. But where should ultimate responsibility and ownership of cyber security issues ultimately lie?

Meet Erik Vynckier, Professor Adam Joinson and many other cyber security specialists at Computing's Cyber Security Live 2019 event on Thursday 21^st November in London. Attendance is FREE to qualifying IT leaders and IT pros, so reserve your place now, before they all go.

Responsibility varies

For many organisations, the management of cyber security often varies. At Foresters Friendly Society, responsibility is delegated across several levels. Erik Vynckier, interim chief executive at Foresters Friendly Society, says: "Overall, first-line responsibility rests with myself as CEO. There is also a training component to raise employee awareness, and there are fairly frequent reminders to raise awareness."

However, an outsourced IT manager takes responsibility for the day-to-day running of the firm's cyber security activities, such as managing firewalls and fending off viruses. "There is regular penetration testing with a varying pool of external testers to get variety and fresh approaches to the intrusions that are attempted," says Vynckier.

Other responsibilities are handled by a chief risk officer, various committees and an internal audit team. "Our CRO reviews and discusses security issues with the Audit, Risk and Compliance Committee and a Board committee. In the second line as well, the chief compliance officer is Data Protection Officer and in the case of a breach, reports the facts to the ICO (Information Commissioner's Office)," Vynckier says.

He continues: "On occasion, the third line - internal audit - investigates aspects of software, mostly if there is an IT project significantly impacting our IT framework. Furthermore, our external auditors tend to investigate the integrity of our data - this is looking out largely for internal fraud by clearly defining roles and handling employee turnover correctly in our IT environment."

Everyone plays their part

When it comes to identifying and mitigating security risks, there isn't one formula that will work in all circumstances. Colin Robbins, managing security consultant at cyber security firm Nexor, says it depends upon the size of the organisation and the nature of the business.

But what's clear, according to Robbins, is that security is ultimately a board responsibility. "Boards need to ensure they have an appropriate governance structure, with roles and responsibilities for security clearly defined," he explains. "In smaller organisations, we are seeing the specialist skills do not exists in the company, hence the risk of the virtual CISO - a contracted out, part-time role, on a retainer basis."

He takes the view that leaders need to ensure company security objectives are clear and supported by a comprehensive set of security policies. He continues: "An effective security/risk management approach then needs to be in place to identify security risks and implement suitable controls, together with metrics to assess the effectiveness of the controls. This then needs to be supported by an effective audit regime to assess the effectiveness of the security controls."

Christopher Hodson, chief information security of Tanium and author of Cyber Risk Management, agrees that core responsibility must lie with key decision-makers. "It's the CISO and security team who identify the strategic direction for cybersecurity across the enterprise.

"A company's executive leadership team (the c-suite) must define the 'tone from the top' - outlining attitudes to risk and mandating the enforcement of information security policies," he says.

That said, everyone must play their part. Hodson explains: "All staff need to be educated in cybersecurity awareness - how to carry out their job duties while minimising the likelihood of business disruption as the result of a cybersecurity incident.

"Security leaders need to foster a culture of openness and transparency across the enterprise; if a user receives a suspicious-looking email or accidentally clicks on an executable they need to feel comfortable reporting the matter to their security team (without the fear of being unfairly reprimanded)."

Developing a security culture

With cyber secruity threats growing and becoming increasingly complex, there's pressure on organisations to develop a security culture where all employees understand the risks and are held accountable.

Steven Chabinsky, a partner at law firm White & Case, believes that the most important aspect of any organisational culture is to lead by example. "If a company has a policy in place, it should be followed by everyone. That means, for example, that the C-suite should not share their passwords with their administrative assistants, or forward business emails to personal accounts, if doing so is prohibited," he says.

He urges organisations to ensure that training is accompanied by an easy way to report issues and to receive feedback when items are reported. "Many companies have a [email protected] email address to be used by employees to forward suspicious messages, or a security desk to contact if they think they may have clicked on a bad link. When those reporting channels are used, the companies should thank them and let them know the status of the issue," he says.

He adds that staff also need to understand the significance of their responsibilities and, at times, to be challenged should they violate the organisation's security rules. Chabinsky says: "Of course, every instance is different so penalties must take into account the nature of the offence and whether it was repeated conduct."

In the next few years, he expects the scope of cyber security ownership and oversight to change significantly. He says: "Currently, companies tend to be focused solely only on their internal IT systems.

"Over time, corporate leaders will recognise the need to include operational technology security as well as taking software and applications security risk management into account, and associated vendor risk management based on the increasing level of outsourcing.

"In the coming years, employees at all levels of an organisation will better understand that they all own cyber security to lesser and greater degrees, and that the company's security posture demands they all embrace their responsibilities."

In today's interconnected world, cyber crime has become a core consideration for all organisations. Clearly, any that fail to take these risks seriously will pay a heavy price when they fall victim to attacks - and that's before the high costs of GDPR fines is taken into consideration.

But stopping cyber crime isn't an easy task, and that means that everyone within an organisation needs to understand that it's their responsibility as much as anyone else's.