The Christian Science Monitor reported on this survey and observed,
“More than four in 10 of the directors in the survey felt that a company’s chief executive officer should take the rap for a data breach. When asked to prioritize who should be held accountable for such incidents, corporate boards ranked the chief executive officer first, followed by the chief information officer, and then the entire executive team.”
To me, the entire premise of this discussion needs to shift from blame to preparedness, governance and mostly to teamwork. We live in a world of continuous compromise. Threat actors, many funded by nation states, are highly sophisticated, well-funded and patient. If they target you, they will at some point compromise your network. While prevention serves as a meaningful and necessary deterrent, no preventive solutions are 100% effective. Admitting these realities is the first step to moving on.
The discussion at a Board and C-level staff needs to start there. There is NO blame when a bad guy gets into your network, this WILL happen, and most likely already has. And while admitting to this may seem like giving up, on the contrary it allows us to move beyond failing prevention only strategies to go on the offensive by being agile and responsive, finding and remediating potential breaches with more agility and success. Empowering the CISO and her team starts with removing blame and enabling her to be prepared and responsive to this inevitability.
Shared knowledge, visibility into both goals and data, and mutual trust are all needed to move forward. But first, we have to change our mindset and end the blame game. Are you ready?