close
close
hsuses

Promote a collaborative security culture to avoid becoming a “scapegoat for security incidents.”

Theo

Just 10 years ago, the role of the Chief Information Security Officer (CISO) was simpler. Much has changed since then, and radical shifts in the threat landscape have forced the CISO to evolve.

New regulatory changes have added further complexity. For example, the EU’s Digital Operational Resilience Act (DORA) requires stricter scrutiny of all third-party vendors, and new SEC rules require publicly traded companies to report significant cybersecurity incidents within four days. Both of these rules require boards to take more responsibility for cybersecurity, but the ultimate responsibility often rests with a single person: the CISO.

However, it is not sustainable for our industry to rely solely on a “Chief Incident Scapegoat Officer” to ensure the security of an organization. The task has become too large for one person. Instead, CISOs must take responsibility for the security posture across their entire organization.

The CISOChallenge

Regulators have raised the stakes. From DORA and NIS 2 in the EU to the SEC’s new disclosure rules in the US, we see a clear message. Boards of directors are accountable for security risks. But it is the CISOs who face legal consequences for cybersecurity and privacy policy violations, not the board as a whole. The recent charges against SolarWinds CISO Timothy G. Brown are a prime example of this new trend.

Gartner reports that 86% of organizations attribute security breaches to the CIO, CISO or a similar position. However, we should distribute responsibility across the entire organization, not just a single person at the top. This year alone, 5,360 breaches were publicly disclosed, and it is critical to understand responsibility for cyber risk and everyone’s role in maintaining robust security. CISOs should prioritize developing a solid, company-wide security culture that includes extensive training to distribute responsibility.

Although organizations often consist of thousands of employees and even more thousands of machines, the CISO is often made the scapegoat when security breaches occur. While they are ultimately responsible for cybersecurity, the crux of the problem lies in the clarification of responsibilities. Modern networks are enormously complex, and individuals manage more devices, applications, and accounts. Assigning ownership of this flood of assets has become incredibly challenging for CISOs. Incomplete inventories prevent them from identifying those responsible, and the lack of a central hub or single reliable source of truth only makes matters worse.

Ensuring that everyone in an organization understands their role in security will be critical as cybersecurity regulations that put governance at the center become more common and frameworks such as the NIST Cybersecurity Framework (CSF) 2.0 introduce a new key “govern” function. Organizations need to make governance a priority as it will enable them to establish clearer lines of accountability, strengthen the overall security posture, and relieve the CISO of sole responsibility.

Promote a positive safety culture

Discussions about cybersecurity responsibility often degenerate into blame games. But building a robust cybersecurity culture goes beyond simply blaming employees for oversights like clicking on phishing links or using weak passwords. IT departments are perceived as partners of the entire business, and we need to view cybersecurity the same way. This requires collective responsibility and proactive action across the organization.

Security incidents are rarely the result of a single person’s actions, so we need to stop learning from incidents and end the witch hunt for who is responsible. It’s critical that we develop a fix-first mentality and change the perception of cybersecurity from an individual team effort to an enterprise-wide effort.

With compliance becoming increasingly important, the industry needs to be proactive. Everyone needs to understand how governance aligns with business objectives, regardless of their role. Encouraging individuals to take responsibility for cybersecurity will help improve overall security management.

Cybersecurity teams need to help everyone understand their role in the cybersecurity posture. This shift promises to reduce the blast radius of incidents and also promote a robust and security-conscious company culture.

Strengthening individuals for collective security

To establish a positive safety culture, organizations must regularly update their asset inventories and controls and combine this with a comprehensive safety knowledge base to create a single source of truth: a real-time snapshot that facilitates compliance and identifies both strengths and areas that require attention.

Establishing this central hub can help prioritize tasks and will also provide insight into the security team’s responsibilities and areas where they need to take action. By increasing accountability, the CISO becomes a key figure who can influence others. Armed with this data, CISOs can confidently demonstrate responsibility for security. For example, when investigating a server, CISOs can pinpoint and prioritize any issues, determine the responsible party, and identify other devices managed by the same person that may be vulnerable. They can then work with that person to improve security by optimizing security tools or deploying additional solutions as needed, helping to close potentially critical security gaps.

By promoting a comprehensive understanding of the security posture across the organization, CISOs can effectively enforce accountability and strengthen security measures. A security-focused culture will certainly help achieve this, but CISOs must also implement training programs, which are now mandatory for certain companies under DORA.

As cybersecurity responsibility becomes more front and center, there is an opportunity to change the blame culture that overshadows security management. CISOs now need tools that can help them promote a positive security posture and prioritize actions for improvement. Only then can they drive security responsibility across the organization by identifying asset owners and effectively implementing improvements.

This helps reduce the likelihood of a successful attack on organizations and can save CISOs from personal prosecution and, just as importantly, the organization from heavy penalties from regulators.

Nick Lines, Security Evangelist, Panaseer

Related Posts