Risk Management: Who’s Responsible? Who’s Accountable?

This incident really happened. The CISO of a global food company shut down a production plant on his own volition. The board was about to fire him, until he explained his thinking: The company’s recipe was two chemicals away from producing poison—and adversaries had obtained a copy of said recipe. What would have happened if the CISO had not discovered this threat and taken immediate action? The board cringed at the thought.

In today’s world, events of this type are happening with greater frequency—and associated risk. It is more or less impossible for anyone to state with unequivocal certainty where the next cybersecurity threat will come from and how it might manifest itself. And, unfortunately, the challenge is only going to get more complicated, as initiatives such as the Internet of Things increase attack surfaces.

So, in this environment, how to you manage risk? How do you determine who is responsible for assessing risk? Who is held accountable if there is a breach or other negative cybersecurity event? How do we ensure that the people, processes, and technologies are providing the protections needed to minimize risk and remain compliant with government regulations?

These were among the pressing issues that were discussed last week at an exclusive panel discussion, in London, hosted by Sven Petersen, who leads the technology practice group at Egon Zehnder here, and his colleague Helen Crowley; Joel Harrison, partner in the Technology Practice at Millbank, Tweed, Hadley & McCoy LLP; and Greg Day, VP and CSO, EMEA, at Palo Alto Networks

These four hosts were joined by business and government leaders focused on the areas of cybersecurity, risk management, finance, and legal. Here are some of the collective thoughts and wisdom from the panel:

Communications: Clear communication is vital. As one participant noted: “Whoever speaks to the board have to be able to explain it in plain English, not jargon.” CISOs must speak in language that business decision makers can understand and relate to. “CFOs get frustrated because the CISO and IT heads ask for money—but they don’t know how to translate this into understandable risk language. Why is this security spend relevant to the business? If you distill what’s relevant, you can apply context and figure out if it really is an issue, and then assess the risk appetite of the company.”

Collaboration and Constant Vigilance: One company related how it hired consultants to define best practices when the cybersecurity risk-management program was in the early stages of development. They worked in collaboration with representatives from all areas of the business and mapped out their program in accessible language. It needed to be flexible, with a framework and mapping, and they now do a re-evaluation monthly and an external audit every year.

Cybersecurity Integration: One participant mentioned a statistic citing 80% of companies having DevOps teams to take new products to market, but only about 15% have DevSecOps. “If cybersecurity isn’t built into the grass roots of product development, how can it keep up with innovation?” Another participant said DevSecOps is the only way to ensure shared accountability, meaning DevOps teams should be accountable for security in new services and features. Instead, they are typically measured on the delivery and functionality of the product. “Splitting the two is a problem.”

Additional subjects and highlights:

  • GDPR: Rather than grousing about GDPR, leaders should use it as an opportunity to step back and assess where they are. “Are the fundamentals in place? Are we documenting our activities? If someone gets in, can we retrace our steps?”
  • Culture: Education and accountability are a shared responsibility. Overall, attendees agreed, if something goes wrong, “you need to come clean.” One participant noted that it is good encourage “speaking up,”  which feeds a culture of collective responsibility and accountability.
  • Complexity: How do you make informed decisions? By understanding the decision that must be made. In reality, cybersecurity should be no more complex than a pension discussion, and it should be embedded into everyday business decisions.