Survey Finds Lack of Consensus on Cybersecurity Accountability

Survey Finds Lack of Consensus on Cybersecurity Accountability

Results from a new study by Palo Alto Networks have revealed there is still plenty of work to be done within organizations when it comes to working collaboratively and sharing responsibility to prevent data breaches.

According to the survey, nearly half (46%) of 765 business decision-makers believe that responsibility for protecting an organization from cyber-crime lies solely with the IT department. Interestingly, more than half (57%) of those working in IT agreed, stating they hold sole domain over a company’s security.

Speaking to Infosecurity, Dr Adrian Davis, Managing Director EMEA, (ISC)2 said Palo Alto’s survey acknowledges one of the key issues surrounding cybersecurity risk, and that is accountability. 

“Cyber risk is an issue for all. Accountability for cyber risk will need to be embraced by all as we move forward in this now digitally dependent world. The challenge is that society as a whole is only in the early stages of appreciating this.” He argued.

“IT is accountable for understanding and articulating the risks around the solutions they propose and manage; business is also accountable for listening; assessing and assuring a strategy for managing the risks with IT. There is also a third group of influencers here – the innovators – who are going to have to recognize accountability for understanding and preventing the vulnerabilities that they are introducing by not designing with security in mind.”

The findings from this survey will raise concerns over how well issues of cybersecurity are being translated and understood within companies, especially with the General Data Protection Regulation (GDPR) coming into effect within the next few months. In the event of a breach, the GDPR will assign responsibility to any member of staff who has access to an organization’s data, which means that it is now imperative for companies to be educating all employees from all departments – from board-level executives to customer service staff.

Greg Day, vice president and regional chief security officer, Europe, Middle East and Africa, Palo Alto Networks, said:

“The new EU regulations will require businesses to step up their cybersecurity practices, and this can be an opportunity or a risk, depending on how these businesses choose to approach it. Ultimately, it is critical that managers recognize that, when it comes to cybersecurity, the onus is on everyone – it’s no longer a dark art but an everyday business practice that must pervade every level of the organization.”

The results suggest that a shortage of cybersecurity knowledge at leadership level is influencing the lack of consensus about where duties lie, with 13% of C-level respondents admitting they do not fully understand what defines an online security risk to a business. 

They also allude to the fact that the approaches many organizations currently use to gauge security do not provide a comprehensive outlook of what risks they are actually facing. A quarter of companies determine how effective their security infrastructure is by how many incidents they block, and 13% feel the length of time passed since their last breach shows how well they are doing.

Instead, to provide an accurate view of risk, Palo Alto Networks recommended companies should introduce pre-emptive and real-time methods such as monitoring all the traffic in its network.

Source: Information Security Magazine