Who is accountable for cybersecurity?
Whenever a cybersecurity incident happens, people start pointing fingers.
The I.T. staff is usually where most blame is assigned, at least to start. If only the right patch was in place, if only the anti-virus software had been updated, if only the network was monitored correctly – the “if only” quandaries go on and on. Those responsible for technology are the only ones who can take the right steps to prevent an attack, so they are a natural target for blame.
On further review, however, most of the blame for cybersecurity incidents gradually moves up the chain of command. I.T. staff are only as good as the resources they have on hand. Underinvestment in cybersecurity infrastructure is not an I.T. issue, it is a management issue. Those who fail to comprehend warnings are clearly going to take some heat, but management which fails to make cybersecurity a priority may be equally responsible for subsequent breaches.
A new study conducted by Tanium and Nasdaq notes that 77% of C-level executives in the United States describe themselves as “cybersecurity illiterate”. Of those same executives, 43% are unable to interpret cybersecurity reports in the same way they can interpret a financial audit report.
Cybersecurity is clearly an area which is developing faster than the corporate world can handle. Yet the bar for cybersecurity literacy is not “are you an expert who has up-to-date knowledge of cyber threats”. For many senior executives, the bar is simply “can you absorb the basic principles of cybersecurity and prioritize your resources accordingly.” Unfortunately, the study indicates that the vast majority of companies cannot even attain that lower standard.
Aristotle coined the phrase “ignorance of the law is no excuse” – a maxim which translates into cybersecurity as well. Neither I.T. managers nor corporate executives can afford to be ignorant about the impact of cybersecurity lapses anymore. When cyber incidents happen (and they will happen), there will be plenty of blame to spread around.
Cybersecurity is an area which requires strong, knowledgeable leadership. At the I.T. manager’s level, that means knowing the architecture of a system well enough to make realistic recommendations that correspond to the company’s threat profile. At the senior executive level, that means being able to interpret information from the technical staff and ask the right questions. And one step beyond that, it means taking concrete action which deals with vulnerabilities before they become a problem.
Customers hold businesses responsible for cybersecurity breaches by voting with their feet and wallets – a kind of accountability which can be very painful for a business to bear. That is a strong motivation for everyone in business to feel a level of responsibility for a strong cyber defense.
Want to become more cyber literate? Looking to exercise some leadership over your I.T. systems? ECHO can help.