The resignation of Target's chief executive officer (CEO) and chief information officer (CIO) following the company's data breach in 2014 may mirror board members' attitudes about who is responsible for cyber incidents, according to a survey released last Thursday by Veracode and the New York Stock Exchange.
Of the nearly 200 directors of public companies in various industries that were surveyed, the CEO was named as the individual who should be held most accountable when a data breach occurs. The CIO came in second, and the CISO came in fourth.
“It makes sense that the CEO, who is responsible for the overall business, should also be accountable for the security risk as well,” Chris Wysopal, CTO & CISO of Veracode, said in an email to SCMagazine.com. “Ultimately it's still the role of the CISO to manage this risk, however, he's no longer alone.”
Wysopal noted how it comes down to understanding, assessing and mitigating risk, and indicated that the CEO has to take a leadership role.
“While the CEO isn't expected to understand the technical implications of cybersecurity, he or she is responsible for empowering those that do to speak up and provide support for initiatives that will ultimately reduce the risk,” Wysopal said. “The C-suite needs to start becoming active in these conversations, and not ‘tune out' when the topic comes up in the boardroom.”
The survey also found that board directors aren't confident in their company's abilities to defend against data breaches. Sixty-six percent of the respondents reported being “less than confident” when asked if they felt their companies were properly secured against cyber attacks.
Despite the importance placed on cybersecurity, 'security risks' ranked second to last when respondents were asked about their top concerns for releasing new technology-based products and services to the market. Revenue potential, competitive differentiation and developmental costs all ranked higher.
However, more than 70 percent of respondents indicated that they were at least somewhat concerned about potential risks that could arise from third-party software in their supply chains.