Is the CISO solely responsible for enterprise cybersecurity? That used to be the popular view within the organisation but a more realistic view, that cybersecurity is not a one-man show, has emerged. This change in perspective has been driven by the reality of cyberattacks that businesses must contend with:

• Cyberattacks can severely disrupt operations and have severe impact on business results, affect credit ratings, and may even result in businesses shutting down
• Regulators are not limiting cybersecurity scrutiny to CISOs, and are involving other senior leaders
• Cyberattack related litigation is increasing
• Threat actors are reporting victim’s compliance violations to regulators
• Potential loss of attorney-client privilege

The CISO can no longer be solely held responsible for cybersecurity when many businesses processes, which are outside the CISO’s purview, may open the doors to a cyberattack. Cybersecurity is no longer just an IT issue. As the above examples demonstrate, a cyberattack can severely impact shareholder value and even viability of the business, and therefore is a matter of concern for all enterprise stakeholders.

All stakeholders are not cybersecurity practitioners but have a role to play in maintaining enterprise cybersecurity, which can be achieved through establishing cybersecurity accountability.

Building Cybersecurity Accountability Across the Organisation

Building a culture of accountability in cybersecurity requires approaching enterprise cybersecurity from the top of the ladder in the organisation’s hierarchy (leadership/strategic level) to the bottom of the ladder (execution level). All levels must be held accountable for cybersecurity.

Strategy & Policies

An enterprise victim of a cyberattack reports that the impact of the attack more than offset the benefits of pricing, cost savings, and supply chain optimisation. This is a clear indication that the C-suite must prioritise cybersecurity as the cost of a cyberattack is greater than the benefits from strategic initiatives.

Strategy

Framing a cybersecurity strategy requires understanding the organisation’s threat exposure and compliance obligations in the context of the industry and regions in which the enterprise operates e.g., healthcare organisations in Abu Dhabi should incorporate ADHICS compliance as a strategic objective. Assess where your organisation stands and where it needs to be in terms of planned expansion. This will enable the C-suite to decide the approach, budget, and timelines, and frame policies accordingly.

Accountability

• Board of Directors – The board is accountable for prioritising cybersecurity as a strategic imperative for the organisation, understanding the organisation’s risk profile, and consequently positioning cyber defences at or near the top of the agenda
• C-suite – The board must hold the C-suite accountable for the creation and evolution of the cybersecurity strategy

Policies

The enterprise must establish a governance structure by framing cybersecurity policies for all stakeholders to follow. The policies will establish roles, responsibilities, standards, requirements, permitted use, and penalties; the policies may vary by region to accommodate differences in compliance obligations.

Accountability

• CISO – The CISO is accountable for creating governance policies and periodically evaluating them to ensure they remain adequate for the organisation’s cyber risk profile
• Employees – All employees must be held accountable for compliance which should be independently verified to ensure enterprise cybersecurity is maintained

Infrastructure

Effective enterprise cyber defences require cybersecurity infrastructure. The type and extent of cybersecurity infrastructure will depend on the enterprise’s industry, scale and geographical spread of operations, Bring Your Own Device and remote work policies, compliance requirements, and other such parameters that impact cybersecurity. All enterprises will, at the least, require endpoint security solutions to protect devices and network security solutions to protect networks.

Accountability

• CISO – The CISO should be accountable for assessing and communicating the cybersecurity infrastructure needs of the organisation to the C-suite and the board
• C-suite – The C-suite is accountable for ensuring that adequate resources are made available to the CISO for the establishment of appropriate cyber defences

Monitoring & Assessment

Cybersecurity is a process, not an event. Continuous monitoring and periodic evaluation of cyber defences are required to ensure that cybersecurity remains adequate to meet the evolving security and compliance needs of the organisation. Audits and assessments, such as Vulnerability Assessment and Penetration Testing, must be conducted periodically to ensure that all security gaps are closed. Such exercises may also be mandated by regulations.

Accountability

• CISO – The CISO is responsible for evaluating and communicating the need for monitoring and assessment
• C-suite – The C-suite is accountable for ensuring that resources are provided for such exercises, which may involve utilising external cybersecurity specialists

Certifications

Businesses may choose to be certified under ISO 27001, PCI DSS, or other cybersecurity standards as a demonstration of the reliability and quality of their operations, or the certification may be required by customers, vendors, or regulators for provision of a service.

Accountability

• Business Leaders – Business heads/other members of the C-suite are accountable for communicating their certification requirements to the CISO, and following the CISO’s guidance for achieving certification within their operational ambit
• CISO – The CISO will be accountable for the technical aspects of such certification within the cybersecurity domain

External Digital Ecosystem

Cybersecurity products can protect the organisation against code-based attacks that attempt to compromise enterprise digital resources – but threat actors may utilise the external digital ecosystem, such as social media, to conduct social engineering attacks that target users rather than machines.

Such attacks cannot be prevented by enterprise cybersecurity solutions; the only effective defence is to ensure that the business periodically conducts, and reinforces, cybersecurity awareness training for all stakeholders, enabling business users to act as a human firewall and thwart such attacks.

Enterprises must also periodically scan the external digital ecosystem to identify impersonators on social media and other digital platforms, which may be used for social engineering attacks, report such impersonators and have them blocked, and circulate the official communication channels of the organisation to all stakeholders to pre-empt impersonation.

Accountability

• Employees – All employees are accountable for preventing social engineering attacks from succeeding
• CISO – The CISO, working with HR, must ensure that employees are armed with the knowledge to identify social engineering
• Marketing – The Marketing team is accountable for reporting identified impersonators on external digital platforms and for including the official communication channels of the organisation in messages to stakeholders

Education & Training

Knowledge is a critical component of enterprise cybersecurity and all employees should receive training that is relevant to their roles and responsibilities to help them avoid cyberattacks and implement processes that are secure by design.

Accountability

• Business Leaders – Business heads are accountable for defining training requirements
• HR – HR is accountable for working with business heads to identify employee training requirements and for coordinating the training
• CISO – The CISO is accountable for design and delivery of the training

Building a culture of accountability around cybersecurity ensures that cyber threats, an enterprise-wide problem, are countered by enterprise-wide defences that are proactive rather than reactive and can stop cyberattacks before they start by involving all stakeholders and providing them with the guidance, knowledge, and tools they require to play their role in maintaining enterprise cybersecurity.

K7 Security helps organisations protect their operations and meet their compliance obligations through the provision of world-class cybersecurity products and services. Contact Us to learn more about how we can help you achieve comprehensive enterprise-wide cybersecurity.