I was responsible for security at the time of the hack, says TalkTalk CEO Dido Harding

Sooraj Shah
clock

Harding tells parliament committee that she was accountable because cyber security is a board issue

TalkTalk CEO Dido Harding told a parliament committee today that she was responsible for security when the telecoms firm was hacked in October.

Harding was quizzed by Jesse Norman, chair of the committee, as well as several other committee members, on the hack, in which 156,656 TalkTalk customers had their personal details accessed.

Harding said that she was accountable and responsible for security in the company "before the attack and now".

But Norman suggested that this can't be the case as Harding is running the whole firm, which prompted Harding to state that cyber security was a board issue, and therefore she did have responsibility for it.

Harding added: "I do have an executive director who works on the board who has a security team that works for him."

The TalkTalk CEO went on to claim that security in a telecoms company means more than just a direct security team.

"Security touches everyone in the company which is why I should be directly responsible for it," she said.

The executive director that Harding was referring to is Charles Bligh, who previously worked at IBM for 22 years before joining TalkTalk in 2011. But Harding was eager not to place blame on Bligh - or indeed any other line manager - for the failures at TalkTalk. She said that the responsibility for keeping customer data safe was split among a number of teams.

She said that the accountability for security audits and best practice sits with the security team, but implementations of systems and processes and how those comply with security policies sit with the technology team. Other security issues such as passwords are handled by an operations team.

"So it is impossible to say the director of security is responsible," said Harding, before agreeing that if the firm was to find a specific area at fault, then perhaps a line manager could be found responsible - albeit not for this hack.

"It is possible that none of them are to blame if it is a criminal attack - that's why it is a board-level issue rather than an individual-level issue," she said.

When Norman asked Harding who on TalkTalk's board is considered technically knowledgeable on cyber security, she claimed that the firm is lucky that it has a number of non-executive directors with cyber security knowledge, namely
James Powell, who is currently global CTO of Nielsen, and was formerly CTO of Thomson Reuters.

When later probed on whether Powell, and consultancy PwC which was carrying out a thorough investigation into the hack, could be trusted with information about the incident, Harding said that she had no concerns about this whatsoever.

She added that when it came to cyber security, her non-executive directors would admit that "none of us know enough yet".

"Any CEO that says they know enough about this subject means they haven't thought about it enough yet," she said.

Last month, Computing asked several CIOs who they thought would be to blame in the event of a data breach at their companies. Some suggested it would be their responsibility, while others said the CFO, and ultimately the CEO could be to blame.

Many of Harding's conclusions chime with the findings of Computing's recent research which can be found here.

 

You may also like
Parliament to trial Microsoft Copilot after MPs lobby for AI

Artificial Intelligence

Will start trials this year

clock 24 June 2024 • 3 min read
Pure Storage says attackers broke into a Snowflake environment

Hacking

But no sensitive data was compromised

clock 13 June 2024 • 2 min read
UK and Canada launch joint probe into 23andMe data breach

Hacking

Company has pledged to cooperate with regulators

clock 12 June 2024 • 2 min read

More on Security

Microsoft 365 emails vulnerable to newly discovered exploits

Microsoft 365 emails vulnerable to newly discovered exploits

Security woes continue

Penny Horwood
clock 20 June 2024 • 2 min read
Cyber gang shifts focus to SaaS apps

Cyber gang shifts focus to SaaS apps

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

Vikki Davies
clock 18 June 2024 • 2 min read
Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

Microsoft June Patch Tuesday has fixes for Windows, Outlook and SharePoint

A relatively quiet month

John Leonard
clock 12 June 2024 • 2 min read