I once sat on a panel with a couple of well-known CISOs; one from a major bank and the other from a big software vendor. The moderator asked what the role of a CISO is. I said that it was to be the fall guy when something went wrong. You should have heard the drubbing I got from the software vendor’s CISO. She said that in her company there was mutual respect between business managers and security folks. Well, just look at what happened to a number of high-visibility CISOs when breaches occurred. All I can say is that their longevity in the job was severely curtailed.
Be that as it may, the issue of data ownership and liability is largely unresolved. I have personally worked in situations where the process of assigning owners to data was relatively sophisticated and there was much cooperation between business managers and the security folks. But let’s not kid ourselves, even the best collaborative processes do not do the job. And that is because, as I wrote in my first column on ROSI, it is very difficult to estimate the risk and liability emanating from a particular case. This is particularly true when it comes down to deciding who should be accountable when data are lost, stolen or otherwise compromised, as they surely will be.
So let’s imagine how this might play out in a typical corporate environment.
Popularity: 6%
