I hesitate to think that this question and my response are required because you have had a breach. Assuming you have not had a breach, my answer is nebulous to say the least. The responsible party is who you designate as the accountable party for the organization's information security. See, I said it was nebulous. The point is that if that person or team has not been designated, it is in effect the highest ranking information technology employee. And even with a designee, the ranking IT employee still maintains culpability. If that breach results in an impact to the business, is the CEO not going to be held responsible by the stakeholders in the company? The answer is yes, and the CEO won't search very far for someone to shoulder the direct responsibility.

Having said that, and I am taking some liberty here to get on the soapbox, no one should take what I have said here and go designate someone or a team as responsible for their organization's security without understanding what that means and supporting that designee. If I were designated my organization's CISO (Chief Information Security Officer) tomorrow, I would expect that since I am accountable that I would have the latitude to do my job, and honestly, this is not the case in many organizations. I am happy to say that it is taken seriously where I am now and part of my job as the enterprise architect is to consult the CISO when designing new solutions and strategies for our organization. To use the cliché, security is everyone's responsibility.

If the CISO (is not allowed to have a voice or taken seriously, then the title is just that, a title. When the person who is held most directly accountable for IT security has no legitimate way to present risk, provide mitigation strategies, or anything else that is really required to do the job they've been asked to do, then that person had better be good at documenting what they communicate to the decision makers. Not every risk is mitigated; some are acceptable risks. In many cases, upper management doesn't really want to do what it takes to prevent breaches resulting from risk that is addressable. Most do the minimum required to get a good night's sleep.

I hope this helps.

Rick

bob kaput

Posted on Oct. 31, 2010

Rick's point that the CISO MUST have the ability to do the job is right on! In many companies the CISO is only an advisor and quite frankly powerless.

In many companies IT security is viewed as a network infrastructure issue when in effect it is much, much more than that. For example, over 70% of breaches are through the web application layer yet incorporating security best practices in the SDLC is seldom done.

Rick Davey

Founder, CEO and CRM, BI, Data Warehouse Consultant, Ridge Group LLC

Posted on Nov. 1, 2010

Most people always look to a technology issue, when in fact many security breaches are offline not using technology. I can't tell you how many times I have heard the security breach was someone usually an employee just walking out the door with documents or data. Therefore security is a multi-discipline responsibility... Technical - make sure one cannot breach via a technology, physical - no one can just walk out the door with something and management - creating an environment where security is taken seriously.

Rick Davey

RidgeTek
CRM, Business Intelligence and IT Strategy Consulting
Site: http://www.ridgetek.net/

Blog: http://www.ridgetek.net/tech-insights/

William Martinez Pomares

Architect, Avantica Technologies

Posted on Nov. 1, 2010

Hello Isaac.
Do you want a so-so answer? Well, here it goes: It depends....
There is no such thing as total security, so having a breach is something that is totally possible, and when it happens you main concern, after solving it of course, is to identify what happened.

You may have a CISO, but it is not a figure to manage security so everyone else forgets about it. Everyone in the company should be aware of security, threats and procedures. There should be all necessary controls in place, based on a risk assessment. If a breach occurs, you need to identify if the risk was taken into account, if it had a control in place, if the control was in place why it failed. At each step, many people would be involved, from the stakeholder not stating his need for security, to the risk manager not identifying the risk, to the control implementor failing at that implementation, to the guy that didn't follow the procedure, to the other guy that failed auditing the control per se. So, there is no person name, it is the company in full that should be accountable.

Michael Dortch

Senior Product Marketing Manager, ServiceNow

Posted on Nov. 1, 2010

If you must hold someone accountable, it should perhaps be whomever leads the effort to develop, maintain and enforce security policies at the affected organization. This is because, as Rick Davey wisely observed, security breaches are almost always a failure of policy and/or process adherence and/or enforcement and/or existence, not of any particular technology or technologies. Effective security processes and policies educate, encourage and empower users to be active participants in efforts to secure the information and resources they need to succeed at their jobs and to protect and preserve the company that provides those jobs. Policies and processes that focus more on technologies than on people are doomed to failure sooner or later.

Glen Marshall

Principal, Grok-A-Lot, LLC

Posted on Nov. 1, 2010

As others have said, it is possible to designate a person and mae them accountable. But unless that person has the final authority to establish, implement, and enforce security policies, the actual accountable parties are his/her supervisors and managers all the way up to the CEO.

Some government regulations, e.g. HIPAA, require that a privacy *and* a security officer be named. It is best if they are two different people, as privacy and security and distinct policy domains.

Ultimately, when a breach significantly harms the company, its employees, or customers, it will be the CEO who is accountable.

For what it's worth, what do you envision that an instance of accountability would be? Is it punishment? Is it the duty to report and mitigate problems? Is it the obligation to put preventative measures into place? Is it performing the routines associated with security assurance?

vee srinivas

Consultant on Computer Systems & Security, Free Lancer

Posted on Nov. 2, 2010

Start with the CEO first.
Then look at IT. If agencies like CISO, Head IT etc exist where they have powers to enforce policies then them also.If the CISO is a toothless tiger then no point holding him responsible. In my previous employ where I was CISO/Head IT for one (geographically seperated )unit I had introduced a policy for Pendrives: 1. Only company manufactured Pendrives(we were afraid of Chinese drives that came with inbuilt virus) and 2. No Pendrive can have a capacity of greater than 128/256 MB. My rationale was that it was a temporary transport media, not a storage dump. Much objected, it worked for a while as long as I was there: - you need someone strong to enforce policies.: - The CISO must have powers to enforce otherwise it is no use.