The need for collective cybersecurity accountability
How CISOs can drive accountability for security posture
A decade ago, the Chief Information Security Officer (CISO) role was simpler. Today, it's transformed beyond recognition, shaped by the radical evolution of cybersecurity. While recent regulations like the EU’s Digital Operational Resilience Act (DORA) and new SEC rules, shifted accountability towards the board, if the worst happens the burden often lands on one person – the CISO.
This weight can’t entirely be shouldered by a ‘Chief Incident Scapegoat Officer’. Instead, CISOs need to drive accountability for security posture across the organization.
Security Product Expert at Panaseer.
Rising CISO Struggles
New regulations such as DORA, SEC disclosure rules, and NIS 2 underscore board accountability for security risks. But despite this, CISOs are increasingly facing legal repercussions for misrepresenting cybersecurity and privacy policies – including the recent charges made against the current SolarWinds CISO Timothy G. Brown.
With 86% of organizations putting the blame for security breaches on the CIO, CISO, or equivalent according to Gartner, the real challenge is spreading accountability throughout the entire organization. With 5,360 publicly disclosed breaches so far this year, understanding who's accountable for cyber risks, and everyone's role in keeping a tight security stance, is key. That's why the CISO must ensure they are fostering a strong security culture and providing practical training, throughout the business.
As the most high-profile figure responsible for cybersecurity, it’s common for the CISO to become the scapegoat when things go wrong. However, the real issue lies in clarifying accountability. As people are responsible for more and more devices, applications, and accounts, the challenge of assigning responsibility becomes increasingly complex. Incomplete inventories make it harder for businesses to see who's responsible for what, and the absence of a centralized hub or a single source of truth exacerbates this issue, making it harder for security leaders and IT teams to operate effectively.
With the rise of regulations emphasizing governance – and the expansion of frameworks such as The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 introducing a new key Govern function – it's crucial for everyone in the business to grasp their accountability. By prioritising governance, organisations can establish clearer lines of responsibility, enhance overall security posture and reduce the risk of unwarranted blame on individuals like the CISO.
Positive security culture
Cybersecurity accountability discussions often focus on blame. However, building a strong cybersecurity culture extends beyond pointing the finger at employees for overlooking phishing emails or using weak passwords. Cybersecurity departments should be seen as partners to wider business units, in the same way that IT is. This requires instilling collective responsibility and proactive measures across the organization. Adopting a fix-first mentality is key here, creating an atmosphere where everyone supports cybersecurity, recognizing incidents rarely result from a single person's actions.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Like security posture management, cybersecurity accountability can be approached actively or reactively. Taking an active approach should involve proactively seeking ways to enhance security posture. For instance, asking ‘what do we need to do to improve our security posture?’ – rather than ‘who isn’t going their job properly’? Similarly, in reactive situations, the focus should be on learning from problems rather than initiating a ‘who’s to blame?’ witch hunt.
With governance focused cybersecurity regulations increasing, taking a positive proactive stance is particularly important. No matter your role, understanding and prioritizing governance ensures better alignment with business objectives and reduces the burden of reactive security. Embracing a positive and supportive mindset promotes a culture of accountability throughout the organization.
By encouraging individuals to take ownership of cybersecurity, organizations will see improvements in their overall security posture management. Cybersecurity teams need to help everyone in the organizations to understand their contribution to posture – as well as overall governance. This shift not only mitigates the impact of incidents but also fosters a resilient and security-conscious organizational culture.
Becoming the people’s champion
To drive a positive security culture, businesses need regularly updated asset inventories, control mechanisms, and a comprehensive security knowledge base that together act as a single source of truth. This offers a real-time snapshot of security policy adherence, highlighting areas of strength and identifying areas requiring attention. Only by tapping into data from existing security tools, can this single source of truth give all stakeholders a clear view of the data journey and ensure it's reliable.
This approach not only helps prioritise tasks but also shines a light on responsibilities within the security team. By boosting accountability, the CISO becomes a key player influencing the broader business landscape. Here, the single source of truth lets CISOs confidently assert the agreed-upon responsibilities of specific functions. For example, when CISOs look at a server, they can identify and prioritize any problems with it, figure out who's in charge of it, and find other devices managed by the same person that may be at risk.
With a widespread understanding of the security posture across the business, CISOs can effectively drive accountability and enhance security. This is achieved not only through fostering a security culture but by implementing training – now compulsory for some companies due to DORA - and something that would be good to disclose in any regulatory filings.
Breaking the blame game
With so much focus on accountability in cybersecurity, there’s an opportunity to change the blame culture that often overshadows security posture management. Responsibility for cybersecurity must become a collective effort involving every employee in the organization. Everyone must have a fundamental understanding of threats and preventive measures.
CISOs need tools that enable them to promote good security posture and prioritise actions to improve management. Only then can they drive accountability for security posture across the organisation by identifying asset owners, and who is best placed to action those improvements.
We've featured the best business VPN.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Nick Lines is Security Product Expert at Panaseer.