Why the CEO is Not the Only One to Blame for a Data Breach

MP's in the UK caused quite a controversy recently when they recommended that companies who fail to guard against cyber attacks should link the salaries of their CEO's to effective cyber security.

Blaming the CEO for a data breach is not new.

In a 2015 survey by Veracode, 200 corporate directors also blamed CEO's of organizations the most for data breaches. When a major data breach occurs, more than 2 in 5 respondents would hold the CEO accountable. They said the CEO "should face the brunt of breach-related backlash".

Of course, many CEO's have suffered. There have been many instances reported in the news where CEO's have resigned, retired or gotten fired as a direct result of a data breach.

But is a data breach really the fault of just one person in a company?

The Veracode survey also blamed the Chief Financial officer (CIO), the full C-Suite, and the Chief Information Security Officer (CISO). In other surveys, IT departments and employees have been held responsible.

Here is how these different players figure in cyber attacks and data security:

CEO: The CEO is responsible for the business as a whole, and it’s a mistake not to have expertise, technology, strategy, and company-wide safeguards in place. The CEO should prioritize the protection of customer data, and engage the entire leadership team.

CISO: The CISO – or Chief Security Officer (CSO) – is a cyber security professional in charge of protecting a company’s data and technology. But one security strategist commented that the lack of appointed CISO's in organizations shows that many businesses are not being serious about the risks they’re facing.

C-Suite: Improving cyber security should be a priority of the C-Suite, and there should be a culture of security from the top down. In the Ponemon 2016 Cost of a Data Breach report, board-level involvement reduced the per-record cost of a data breach by $6.90. Companies paid an average of $221 per lost or stolen record in the U.S.

IT Department: The IT department is at the center of addressing and fixing security breach problems. But IT also plays a critical role in supporting the cyber security policy, and in keeping digital information and hard drives in and out of the workplace protected.

Employees: Employees are really the first line of defense in any organization. To minimize the risk of a cyber breach, they need on-going security awareness training. Improving cyber security also means embedding security-driven procedures into the workplace – for example, partner with a document shredding company for secure destruction of hard drives and e-media.     

At the end of the day, many security experts believe that everyone in the organization should be 'collectively' to blame for a data breach, not just CEO's.

"It’s every employee’s responsibility to look after security in terms of prevention and identifying risks," said one security expert.

A protected workplace relies on a comprehensive document management process that protects confidential information from creation through to disposal.