TalkTalk CEO Dido Harding told a parliament committee today that she was responsible for security when the telecoms firm was hacked in October.
Harding was quizzed by Jesse Norman, chair of the committee, as well as several other committee members, on the hack, in which 156,656 TalkTalk customers had their personal details accessed.
Harding said that she was accountable and responsible for security in the company "before the attack and now".
But Norman suggested that this can't be the case as Harding is running the whole firm, which prompted Harding to state that cyber security was a board issue, and therefore she did have responsibility for it.
Harding added: "I do have an executive director who works on the board who has a security team that works for him."
The TalkTalk CEO went on to claim that security in a telecoms company means more than just a direct security team.
"Security touches everyone in the company which is why I should be directly responsible for it," she said.
The executive director that Harding was referring to is Charles Bligh, who previously worked at IBM for 22 years before joining TalkTalk in 2011. But Harding was eager not to place blame on Bligh - or indeed any other line manager - for the failures at TalkTalk. She said that the responsibility for keeping customer data safe was split among a number of teams.
She said that the accountability for security audits and best practice sits with the security team, but implementations of systems and processes and how those comply with security policies sit with the technology team. Other security issues such as passwords are handled by an operations team.
"So it is impossible to say the director of security is responsible," said Harding, before agreeing that if the firm was to find a specific area at fault, then perhaps a line manager could be found responsible - albeit not for this hack.
"It is possible that none of them are to blame if it is a criminal attack - that's why it is a board-level issue rather than an individual-level issue," she said.
When Norman asked Harding who on TalkTalk's board is considered technically knowledgeable on cyber security, she claimed that the firm is lucky that it has a number of non-executive directors with cyber security knowledge, namely
James Powell, who is currently global CTO of Nielsen, and was formerly CTO of Thomson Reuters.
When later probed on whether Powell, and consultancy PwC which was carrying out a thorough investigation into the hack, could be trusted with information about the incident, Harding said that she had no concerns about this whatsoever.
She added that when it came to cyber security, her non-executive directors would admit that "none of us know enough yet".
"Any CEO that says they know enough about this subject means they haven't thought about it enough yet," she said.
Last month, Computing asked several CIOs who they thought would be to blame in the event of a data breach at their companies. Some suggested it would be their responsibility, while others said the CFO, and ultimately the CEO could be to blame.
Many of Harding's conclusions chime with the findings of Computing's recent research which can be found here.
Budget carrier confesses to hack in January 2020, and has informed the Information Commissioner's Office
The Travelex ransomware raises the question, once again, of whether organisations should be obliged to provide more information
No zero-days patched in the latest release
Attack, which came as firm was preparing for Covid measures, was a 'perfect storm' CEO says
Make passwords at least 13 characters long and protect email with a strong passphrase, police advise
With Covid-19 related fraud through the roof it's time to review password policy, says South East Regional Organised Crime Unit