Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility.
But is that fair – or even right?
After all, the most common sources of data breaches and other cyber incidents are situations caused by employees: weak passwords, phishing emails and social engineering attacks. Are CISOs unfairly scapegoated, both in the workplace and in the courtroom? Are they shouldering the weight of cyberattacks because leadership cares more about public relations?
At the end of the day, boards of directors and high-level executives want to show their stakeholders and customers that not only is someone being held responsible, but it is also the person with the word “security” in their job title. Ultimately, this may make organizations more vulnerable to attack.
CISOs On Trial
“Every time there’s a high profile breach, business needs a fall guy,” Stuart Mitchell, head of information and cybersecurity recruitment at Stott and May, told CIO Dive.
At one time, the CEO bore the responsibility for a cyber incident and its aftermath. But increasingly, CISOs have become that fall guy. Not only are they losing their jobs, they often face legal culpability for their organizations’ data breaches. This creates a precedent that could put cybersecurity at greater risk.
Often a CISO may not control all the factors which affect their organization’s ..
Support the originator by clicking the read the rest link below.
