In the event of a security breach, is the CISO ultimately at fault regardless of the business’s risk acceptance?
Sort by:
I’ll throw some of the old guard in there too, because I've had peers in fortune 500 companies that are at least as old as I am, and who've been doing it as long as I have who tell me that it's not their problem because the business accepted it. I'm like, "You better take it as your problem because if it's manifested, you're the one responsible for keeping material harm from occurring."
When risk manifests itself, we are still responsible for detecting and responding to it to prevent material harm or impact, regardless of the business’s acceptance of risk. We are risk managers, which means we always have to be prepared for risk potential to manifest itself and ready to minimize the damage. The damage may still be large, but at least it's contained enough that it doesn't create cataclysmic, material or significant harm. I've seen so many peers who say, “Well the business accepted the risk,” and absolve themselves of any responsibility to react to it because the business accepted it.
We shouldn't be doing that. And I'm seeing a lot of that in the younger generation.
When the VP engineer says, "I got the boss to sign off on it, so what’s your problem?" the common response among the younger generation CISOs is, "Fine, you guys deal with it." But if there is a breach, it’s the CISO that will be dragged in. They all will be fine.