Jody Brazil of FireMon, which helps organisations to manage their security technologies and assess the risks to their networks, told Out-Law.com that company directors are wrong to place the primary responsibility for systems security on their IT security team.
He said that whilst ultimately it is the board members who are "accountable to shareholders, the public or law enforcement" for security failures, he said those board members can improve the internal accountability for the security of systems by requiring the "business unit" – mid-level managers, heads of department and project leaders – to "sign off" on the security of new technology and systems they wish to introduce into use by the business.
"For an outside attacker gaining access to protected resources, ultimately the board room is going to be held accountable," Brazil said. "They will want to push responsibility down through [their] organisations to the people requesting change [to technologies or systems]. That person should be held accountable and responsible for the security failures of those systems in the same way that they would be held responsible for the financial failure of a project."
Brazil said, though, that that model of internal accountability is currently very rarely deployed. He said that board members generally place the responsibility for systems security in the hands of their security team, but he identified problems with doing so.
In those cases security team members are not given the "power" to make decisions on security issues, but they are tasked with reporting to the board on security risks so as the board members can assess whether to spend more on security, Brazil said.
However, he said that because the security team "talk in technology terms" it creates a "barrier" between them and others in the business and can mean that information shared between project managers, the security team and the board room is not sufficient for a proper risk assessment to take place.
Brazil said that security teams should instead offer a supporting role to project managers when implementing new systems and technology for use in projects. They should be required to explain to project managers, in terms those managers can understand, what the level of risk is that is associated with technology to be used in projects. It would then be up to project managers to relay this information to the board room and for board room members to assess the "cost versus risk trade-off", he added.
Brazil said it was "healthy" that project managers, when made aware of security issues by the security team, would be directly responsible for reporting the risks to the board room in order to let them decide upon what action to take. This is because the process would make project managers more diligent about security concerns knowing that they could face disciplinary action or be relieved of their duties if security vulnerabilities in project systems resulted in a cyber breach where they had not flagged up the risks, he said.
Project managers would be able to say they "did their job" if they properly liaised with the security team and reported risks to the board room, even if a cyber breach later occurred and the board had decided not act to resolve security issues they had been notified about, Brazil said.
Brazil said that, in his experience, he had seen that "companies where business units take personal responsibility for security and work with security team" perform better on security than those that give responsibility for security to their security teams.