Building a Cybersecurity Program: Who’s Responsible for What?

The nature of the cyber-threat landscape is evolving quickly, while the underlying technology platforms that hold sensitive data are also changing. In this fluid environment, management teams must create a nimble program from active cyber defenses informed by an iterative risk-management process.

Unlike other enterprise risks that can be managed with traditional controls, cybersecurity requires the mindset of a warrior. Think in terms of Sun Tzu’s guiding principles published in 473 BCE, in The Art of War:

We must know ourselves and our enemies and select a strategy to positively influence the outcome of battle. There is no reason to fear the attack, but there is reason to be concerned about our readiness to defend ourselves from the attack and respond appropriately.

 One aspect of building a successful cybersecurity program is to build in the right processes, which are outlined in our previous article, “Aligning Cybersecurity With Business Goals: 5 Steps to Success.” Another critical aspect is to ensure that the organizational structure is aligned to implement and manage these processes, which means assigning risk-assessment management duties to the appropriate individuals and teams. In our experience, this is how responsibilities for cybersecurity management and oversight are typically allocated:

Executive level: Prioritize critical assets; establish risk appetite; approve risk-management strategy, including mitigating, transferring, and accepting the risk; approve the program and policies; assign responsibilities; provide oversight.

Business unit level: Define boundaries; design use-case scenarios to understand the impact from system attack and compromise; identify constraints for mitigating all risk; develop a justified risk-management strategy; identify all required users of systems or delegates to receive data on a “need to know” basis.

Systems-management level: Recommend technical and physical controls; identify threats and systems vulnerabilities; evaluate the likelihood and probability of impact for each threat and vulnerability; estimate the impact on systems and operations from a financial, legal, and regulatory perspective.


Building a cybersecurity program is a never-ending, iterative process. To have any chance of success, the right steps must be followed and the entire organization must be committed. Each level of the organization must participate in an integrated and collaborate fashion, and each team should be aware of its own responsibilities and be vigilant in ensuring that they are being met. As noted earlier: “There is no reason to fear the attack, but there is reason to be concerned about our readiness to defend from the attack and respond appropriately.”

Let that be a warning to us all.