I was responsible for security at the time of the hack, says TalkTalk CEO Dido Harding

Sooraj Shah
clock

Harding tells parliament committee that she was accountable because cyber security is a board issue

TalkTalk CEO Dido Harding told a parliament committee today that she was responsible for security when the telecoms firm was hacked in October.

Harding was quizzed by Jesse Norman, chair of the committee, as well as several other committee members, on the hack, in which 156,656 TalkTalk customers had their personal details accessed.

Harding said that she was accountable and responsible for security in the company "before the attack and now".

But Norman suggested that this can't be the case as Harding is running the whole firm, which prompted Harding to state that cyber security was a board issue, and therefore she did have responsibility for it.

Harding added: "I do have an executive director who works on the board who has a security team that works for him."

The TalkTalk CEO went on to claim that security in a telecoms company means more than just a direct security team.

"Security touches everyone in the company which is why I should be directly responsible for it," she said.

The executive director that Harding was referring to is Charles Bligh, who previously worked at IBM for 22 years before joining TalkTalk in 2011. But Harding was eager not to place blame on Bligh - or indeed any other line manager - for the failures at TalkTalk. She said that the responsibility for keeping customer data safe was split among a number of teams.

She said that the accountability for security audits and best practice sits with the security team, but implementations of systems and processes and how those comply with security policies sit with the technology team. Other security issues such as passwords are handled by an operations team.

"So it is impossible to say the director of security is responsible," said Harding, before agreeing that if the firm was to find a specific area at fault, then perhaps a line manager could be found responsible - albeit not for this hack.

"It is possible that none of them are to blame if it is a criminal attack - that's why it is a board-level issue rather than an individual-level issue," she said.

When Norman asked Harding who on TalkTalk's board is considered technically knowledgeable on cyber security, she claimed that the firm is lucky that it has a number of non-executive directors with cyber security knowledge, namely
James Powell, who is currently global CTO of Nielsen, and was formerly CTO of Thomson Reuters.

When later probed on whether Powell, and consultancy PwC which was carrying out a thorough investigation into the hack, could be trusted with information about the incident, Harding said that she had no concerns about this whatsoever.

She added that when it came to cyber security, her non-executive directors would admit that "none of us know enough yet".

"Any CEO that says they know enough about this subject means they haven't thought about it enough yet," she said.

Last month, Computing asked several CIOs who they thought would be to blame in the event of a data breach at their companies. Some suggested it would be their responsibility, while others said the CFO, and ultimately the CEO could be to blame.

Many of Harding's conclusions chime with the findings of Computing's recent research which can be found here.

 

You may also like
Fujitsu exposed client data, AWS keys and passwords for nearly a year, report

Threats and Risks

Unanswered questions about how many unauthorised parties may have accessed the sensitive information

clock 21 March 2024 • 3 min read
Concerns about data compromise after NHS Dumfries and Galloway attack

Hacking

Scottish Health Secretary says disruption to services is 'minimal'

clock 20 March 2024 • 2 min read
Data breach at French unemployment agency exposes 43 million people

Hacking

Hackers infiltrated the France Travail's IT systems

clock 15 March 2024 • 2 min read

More on Security

You need to lock down cyber-physical systems: Here's how and why

You need to lock down cyber-physical systems: Here's how and why

Cybersecurity should focus on OT as well as IT

Samara Lynn
clock 27 March 2024 • 3 min read
China Crisis: Government blames China for Electoral Commission cyberattack

China Crisis: Government blames China for Electoral Commission cyberattack

Also accuses Chinese state-affiliated actors of trying to hack MPs emails

Penny Horwood
clock 26 March 2024 • 5 min read
A cyber-focused attorney on why 'Data is the hot potato'

A cyber-focused attorney on why 'Data is the hot potato'

Shawn Tuma, partner and co-chair of the data privacy and cybersecurity practice group at Spencer Fane LLP, shares some tips on cybersecurity for companies to follow.

Samara Lynn
clock 26 March 2024 • 3 min read