Accountability for Corporate Cybersecurity

Transcription

1 Accountability for Corporate Cybersecurity Who Owns What? Clear, Visually Defined Corporate Wide Accountability bl Within the NIST Cybersecurity Framework Bridging the gap between operations and strategy

2 Cybersecurity yis a Corporate Responsibility Boards that choose to ignore, or minimize, the importance of cybersecurity, do so at their own peril, il Luis A. Aguilar, Commissioner, i New York Stock Exchange 1 Data security breaches have progressed from low probability, bbl high h consequence to high probability, high consequence Cyber attacks are creating more concern about potential damage to corporate reputation, class action lawsuits, and costly downtime 2 Senior executives are motivated to become involved in data breach response: Help reduce financial impact 2 Protect their companies reputation and brand 2 1 June 10, 2014 Speech Boards of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus 2 Ponemon Institute The Importance of Senior Executive Involvement in Breach Response, October 2014

3 Cross Functional Accountability for Effective Corporate Cybersecurity Cbersecrit Management is Required The NIST Cybersecurity Framework is Comprehensive, Well Vetted, and Widely Adopted The Framework s Technical Aspects, Sophistication, and Complexitycan Lead to Silos of Cybersecurity Management and Response Within the Organization Ownership of the Creation and Maintenance of the Corporate Security Plan Should Remain with Either the Security or IT Department Many Aspects of Cybersecurity Accountability Naturally Reside Outside of the Security and IT Departments

4 Assignment of Corporate Cbersecrit Cybersecurity Accountability Responsibility Assignment Matrix (RACI Matrix) Used to Assign Accountability Across the Organization Responsible (The Doers) Those who do the work to achieve the task. There is at least one role with a participation type of Responsible. Accountable (TheBuckStops Here) The one ultimately answerable for correctness and thoroughness of the completed task. Consult Those whose opinions i are sought, typically subject matter experts. Two way communication. Inform Those kept up to date on progress with whom there is one way communication.

5 NIST Cybersecurity Framework Within PDFramework PDFramework A Web Framework Designed to Deliver Procedural lcontent and Roles of Accountability with ih Unprecedented Visual Clarity

6 Within the Identify Category Understand andprioriti Prioritize etheb Business sinessenvironment

7 Understanding and Prioritizing the Business Factors Better Suited to CFO or Strategic Committee

8 Awareness and Training Within the Protect Category

9 Awareness and Training Accountability Belongs to the Director of Security, Various Departments are Responsible for Execution

10 Data Breach Response Coordination Must Be Carefully Designed and Effectively el Executed

11 Design and Execution of Public Facing Response Efforts Better Suited for the Legal and Communications Team

12 Questions, Insights, and Comments Requested Please visit the PDFramework version of the NIST Cybersecurity Framework at: Henry Draughon Office: (972) Cell: (214)