Now that Mark Zuckerberg has acknowledged that Facebook did make a mistake and admitted of the wrongdoing (Though technically this may not qualify as a data breach per se, its definitely a breach of trust. For more on that read my earlier post on dynamicCISO here.), the next big question is who should be held accountable for the fiasco that eroded almost $40 billion off its market value within 2 days of the scandal coming into the public eye.
I spoke to some key Indian CISOs for their views on who they think should take the ultimate blame at Facebook. And, what has come out of these conversations is quite interesting though. While all agree unanimously that Facebook has failed in preventing the compromise of the privacy of its 50 million users, most are wary of the buck stopping at the CISO and feel that his accountability in such a case is limited. The larger consensus is that the CEO too should take the fall.
According to Sapan Talwar, Founder & CEO, Aristi Ninja, “While CISO is accountable for sure, but if he/she is putting appropriate remediation efforts around security management in the evolving threat landscape, periodically sharing risk matrix and sounding off the leadership for the support required in terms of resources (people, $$$, tech), then the CEO along with CISO reporting line becomes the co-owner or sometimes the whole sole risk owner, hence responsible for the breach. Overall the prevailing mindset has to change, making all decision makers equally responsible.”
For Mathan Babu Kasilingam, CISO, National Payments Corporation of India, NPCI, the reasoning behind holding the CEO accountable is that the CEO lays down the strategy for business and the model to allow interfaces are decided by the strategy of the firm. “The next best is CIO who most often looks at IT being business enabler and not look into the risks of allowing such initiatives without addressing the gaps. But the blame is on the CISO, who most often, is not involved in either the strategy or the technical solutioning stage,” he explains.
According to Siddharth SP, CISO of a leading global insurance company, CISO would be accountable for failure to prevent an external/internal entity breaking into your defenses and stealing data without leaving any trace, and for everything else the buck should stop at CEO (and those directly responsible for negligence).
According to Jaspreet Singh, Partner – Cyber Security, EY, the accountability is collectively that of the CEO, CIO and CISO and not with one person. However, this doesn’t absolve the CISO as he would be responsible for third party risk assessment.
These reactions are aligned to the massive push for information and cybersecurity becoming business and board issues. Which means the board owning up to equal responsibility for safeguarding the organization against cybersecurity risks. In fact, in some of the recent breach cases, such as Target and Equifax, we have seen the stakeholders – customers, partners, vendors, shareholders – demanding that heads roll right at the top, including that of the CEO.
This, in turn, is also strengthening the case for a massive push for cybersecurity into the board and the CISO be given a seat in the board. “I believe CEO and board should be held equally responsible for security breaches. Hence CISO should have a place in the board, without which board executives cannot take meaningful and productive risk management action/decision without the right expertise when taking calls on such partnerships,” reasons Dilip Panjwani, Head - CISO & IT Controller, Larsen & Toubro Infotech.
Ganesh Viswanathan, SVP & Chief Information Security & Privacy Officer, Quatrro, asserts that security is a shared responsibility across all levels and functions. “The CISO who is supposed to execute and oversee the company's cybersecurity strategy should be part of the board level discussions to bring additional insight and expertise to any C-suite decisions on cybersecurity,” he explains.
Subscribe to our newsletter for all the latest updates and special offers.
Click Here To view archive additions