Who is responsible for Cybersecurity?
By TJ Mann, Senior Director Cybersecurity & CISO, Children’s Mercy
Businesses are moving at the speed of a Ferrari and the massive ongoing digital transformation is fueling it. Indeed, the COVID-19 pandemic has been the reason for many organizational digital transformations, but in reality this has been occurring long before COVID-19. The threat actors are improvising and already a step ahead by tapping into the disruptive technologies powered by AI, machine learning. In this fast-paced business environment, who is responsible for Cybersecurity?
- Business Units – In most cases, cyber-criminals are shooting in the dark and hoping someone catches their bait. Some Business Units are high-value targets (e.g., Finance, HR) and favorites for threat actors to execute threats such as Business Email Compromise. When it comes to accounting, Cybersecurity is a cost-center vs the various Business Units which generate revenue, so there is always a balancing act between robust cybersecurity and allowing the business to run and make money. However, Business Units can be the first line of defense in thwarting cyber attacks if they are equipped with relevant and good security awareness and training.
- Compliance – Compliance is good for cybersecurity, but not the sole driver for cybersecurity. A well-built Cybersecurity Program should incorporate an organization’s compliance requirements, but a Compliance-based Cybersecurity Program is merely checking the boxes. Compliance plays a significant role in ensuring security controls are tested, audited, and meet all applicable regulatory compliance guidelines and highlights areas of improvement before a threat actor exploits vulnerabilities to access organizational assets.
- Internal Audit – A solid Internal Audit Program is a saving-grace in many situations. They audit organizational Programs and help identify gaps from security, regulatory, and performance of internal controls perspective. It is critical for internal auditors to stay up to date on the current cybersecurity risk and threats landscape to bring in an independent perspective on how to improve an organization’s cybersecurity posture. On the flip side, too many audits can result in audit-fatigue. It is imperative for cybersecurity leaders to build a good relationship with Internal Audit and share their input into the audit plans and guide them to areas of most importance based on risk.
- Enterprise Risk Management – A well-defined Enterprise Risk Management Program exists to guide a CISO in developing and defining a Cybersecurity Risk Management Program for the organization. The Enterprise Risk management team helps a CISO validate cyber risks and define cyber risk tolerances within which a CISO is responsible to maintain the organization’s cyber risk posture. The Enterprise Risk Management Program helps liaise with the Board of Directors to ensure an organization manages cyber risk according to its risk appetite and advocates for funding and resources, as needed, to manage cyber risk within defined cyber risk tolerances.
- Board of Directors – They are the ultimate body responsible for shaping an organization’s Cybersecurity Program. They have a fiduciary duty to reduce risk to the organization. It should come as no surprise that Cybersecurity is a top risk for any organization with a digital presence in today’s world. The Board approves an organization’s Cybersecurity Program and inputs on changes in cyber risk posture via periodic Cybersecurity Program reporting from the CISO. They are critical in approving resources and funding as needed to enhance an organization’s Cybersecurity Program and reduce cyber risk in line with organizational goals. It is the CISO’s responsibility to ensure the Board stays current in its understanding of the cyber risk posture of an organization, is well-aware and trained on the ever-changing cyber risk and threats landscape.
- Information Technology (IT) – IT plays a vital role in maintaining and elevating any organization’s cybersecurity posture. You can’t have good security if you don’t have good IT. A good Cybersecurity Program starts with policies and standards which everyone in the organization should follow. Since IT owns system administration, endpoint management, network management, server-builds, and runs operations, it is critical for IT to follow the laid-out policies and be good advocates of Cybersecurity. IT’s primary focus is to keep the business up and running and contribute to digital transformation, innovation, and building new business solutions. In contrast, Cybersecurity is focused on reducing risk to the Business and safeguarding organizational assets, and because of these priorities, it is imperative to find a good balance between IT and Cybersecurity and both teams to be lock-step in every single strategy development and deployment.
- Shadow IT Teams – Every organization has them. The small IT team within a Business Unit or system administrators managing their individual systems outside of an organization’s IT department. These Shadow IT teams were likely once created to better serve the Business with all the right intentions, but they create a big challenge for Cybersecurity and IT teams – individualization and deviating from best-practices, bypassing change control, and not including IT and Cyber teams being the top. The best practice calls for consolidating the Shadow IT teams into enterprise IT and Cyber teams, but it’s not easy. A CISO can educate the Shadow IT teams on cybersecurity best practices, train them on security awareness, and extend the enterprise policies, standards. The Shadow IT teams equally share cybersecurity responsibility along with the enterprise Cybersecurity team.
- End-Users –
- Standard Users – Depending on the industry vertical, end-users can be very tech-savvy or novice. In healthcare, most end-users are not technical and for good reasons – doctors, nurses, and clinicians are focused on improving well-being and providing care. Cybersecurity may not necessarily be on top of their mind and it’s the CISO’s job to increase their security awareness and train them to spot cyber threats. Ransomware and Phishing are top threats for many organizations and email is a top threat vector for such cyber threats. End-users are the first line of defense and can spot social engineering attacks if they are trained to do so and can contribute towards reducing cyber risk by following good security hygiene practices.
- Privileged Users – Privileged users who are system administrators, engineers, developers, and in some cases, also help desk staff have additional access than a standard end-user, their identities are more valuable to cybercriminals. Typically, once a cybercriminal gets their foot into the door (e.g., with a phishing email), they move on to steal privileged access credentials to continue with lateral or vertical movement within the network. This makes it critical for the Cybersecurity team to protect privileged identities and workstations and for the privileged users to follow best-practices of refraining from using their privileged credentials for day-to-day tasks and stay up-to-date on the latest cybersecurity threats.
- C-Suite – Many C-Suite executives are cognizant of cybersecurity threats and typically on top of the target list of cybercriminals due to the authority, access privileges, and influence they hold in an organization. This makes it even more important for the C-Suite to be cyber-aware and report suspicious events to the Cybersecurity team. For this reason, there should be focused security awareness training for the C-Suite.
- Standard Users – Depending on the industry vertical, end-users can be very tech-savvy or novice. In healthcare, most end-users are not technical and for good reasons – doctors, nurses, and clinicians are focused on improving well-being and providing care. Cybersecurity may not necessarily be on top of their mind and it’s the CISO’s job to increase their security awareness and train them to spot cyber threats. Ransomware and Phishing are top threats for many organizations and email is a top threat vector for such cyber threats. End-users are the first line of defense and can spot social engineering attacks if they are trained to do so and can contribute towards reducing cyber risk by following good security hygiene practices.
- Vendors – Vendors are not directly responsible for an organization’s cybersecurity, but they greatly impact the cybersecurity posture indirectly. Due to the multitude of products vendors provide and partnerships they hold with organizations to enhance their cybersecurity posture, vendors play an important role in ensuring their products are built securely, free from security vulnerabilities, and patches are provided when vulnerabilities are identified. There has been an increase lately in a vendor-related security breaches and supply-chain attacks. A good Third-Party Risk Management Program can provide the governance needed to put accountability on vendors to ensure they follow security best-practice controls within their own environment and adequately secure and manage their products, client credentials, and client data.
Bottom Line: Cybersecurity is a risk, not a task. No one entity or team can be solely responsible for Cybersecurity. Moreover, it’s an enterprise risk, which means cyber threats are not targeted at or disrupt any one team or Business Unit. In fact, they impact the entire organization. Therefore, the entire organization is responsibile for reducing cyber risk by partnering with the Cybersecurity team to change organizational cybersecurity culture, manage cyber risk in their individual Business Units and areas within the organization’s risk tolerance levels, and advocate for cyber best-practices.