CEOs should be held accountable for cyber attacks and data breaches

CEOs should be the ones responsible in case of a cyber-attack and a data breach in an organization, according to a new report by Tripwire.

Polling Infosecurity Europe 2017 attendees on who should be held accountable in such a scenario, 40 percent said CEOs. CISOs are the second in line with 21 percent of answers, while 14 percent would blame the CIO.

Tripwire says CEOs should be aware of the "basic principles of security," and remembered the example of former Yahoo CEO Marissa Mayer, who forfeited her cash bonus following a breach.

However, CEOs shouldn’t be the only ones holding responsibility for cyber security. "Foundational security controls should be demonstrated from the board level all the way down to the workforce," the report states.

"Accountability starts with the CEO, but information security is a shared responsibility across every function and level of an organization," said Tim Erlin, VP at Tripwire.

"Data breaches are a problem that the board-level executives need to be responsible for addressing, which means that the CISO must be involved in those board-level discussions. The board can’t take meaningful, productive risk management action without that expertise in the room."

"Nevertheless, even the most diligent organizations are still susceptible to attack, and to human error. Businesses need to implement and maintain a core set of foundational security controls, which is a proven strategy for reducing the risk of cyberattacks. The focus should be on a balance of tools and outcomes, and especially a balance between prevention and detection."

The report also said the Operations department struggles most with cyber attacks, followed by finance, sales and marketing.

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Photo Credit: Rawpixel.com/Shutterstock