Accountability for Corporate Cybersecurity
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Who Owns What?
‐‐‐‐‐‐‐‐‐‐‐l ll f d d b lClear, Visually Defined Corporate‐Wide Accountability
Within the NIST Cybersecurity Framework
Bridging the gap between operations and strategy
Cybersecurity is a Corporate Responsibilityy y p p y
“Boards that choose to ignore, or minimize, the importance of b i d h i il ” L i A A il C i i
b h h d f l b b l h h
cybersecurity, do so at their own peril,” Luis A. Aguilar, Commissioner, New York Stock Exchange1
Data security breaches have progressed from low probability, high consequence to high probability, high consequence
Cyber attacks are creating more concern about potential damage to 2corporate reputation, class action lawsuits, and costly downtime2
Senior executives are motivated to become involved in data breach response: Help reduce financial impact2
Protect their companies’ reputation and brand2
© 2015 Process Delivery Systems
1June 10, 2014 Speech ‐ Boards of Directors, Corporate Governance and Cyber‐Risks: Sharpening the Focus2Ponemon Institute – The Importance of Senior Executive Involvement in Breach Response, October 2014
Cross‐Functional Accountability for Effective Corporate C bersec rit Management is Req iredCorporate Cybersecurity Management is Required
The NIST Cybersecurity Framework is Comprehensive, Well‐Vetted, and Widely Adopted
The Framework’s Technical Aspects, Sophistication, and Complexity can Lead to Silos of Cybersecurity Management andComplexity can Lead to Silos of Cybersecurity Management and Response Within the Organization
Ownership of the Creation and Maintenance of the Corporate Security Plan Should Remain with Either the Security or IT Department
Many Aspects of Cybersecurity Accountability Naturally Reside Outside of the Security and IT Departments
© 2015 Process Delivery Systems
Assignment of CorporateC bersec rit Acco ntabilitCybersecurity Accountability
Responsibility Assignment Matrix (RACI Matrix) Used to Assign
Responsible (The Doers) ‐ Those who do the work to achieve the
Accountability Across the Organization
Responsible (The Doers) ‐ Those who do the work to achieve the task. There is at least one role with a participation type of Responsible.
Accountable (The Buck Stops Here) The one ultimatelyAccountable (The Buck Stops Here) ‐ The one ultimately answerable for correctness and thoroughness of the completed task.
C lt Th h i i ht t i ll bj tConsult Those whose opinions are sought, typically subject matter experts. Two‐way communication.
Inform Those kept up to date on progress with whom there
© 2015 Process Delivery Systems
is one‐way communication.
NIST Cybersecurity FrameworkWithin PDFrame orkWithin PDFramework
PDFramework – A Web Framework Designed to Deliver P d l C d R l f A bili i hProcedural Content and Roles of Accountability with
Unprecedented Visual Clarity
© 2015 Process Delivery Systems
Within the Identify Category – Understandand Prioriti e the B siness En ironmentand Prioritize the Business Environment
© 2015 Process Delivery Systems
Understanding and Prioritizing the BusinessFactors Better Suited to CFO or Strategic CommitteeFactors Better Suited to CFO or Strategic Committee
© 2015 Process Delivery Systems
Awareness and Training AccountabilityBelongs to the Director of Security, Various
bl fDepartments are Responsible for Execution
© 2015 Process Delivery Systems
Data Breach Response Coordination Must BeCaref ll Designed and Effecti el E ec tedCarefully Designed and Effectively Executed
© 2015 Process Delivery Systems
Design and Execution of Public FacingResponse Efforts Better Suited for the
l dLegal and Communications Team
© 2015 Process Delivery Systems
Questions, Insights, andC t R t dComments Requested
Please visit the PDFramework version of the NIST Cybersecurity Framework at:
h
• http://processdeliverysystems.com/v2pds_nist/index.htm
Henry DraughonOffice: (972) 980‐9041Cell: (214) 707‐4450hdraughon@processdeliverysystems comhdraughon@processdeliverysystems.comwww.processdeliverysystems.com
© 2015 Process Delivery Systems
Top Related