Security expert Lesley Carhart tweeted last month, “If you’re a CEO, CFO, or CIO, you’re directly responsible for the caliber of cybersecurity at your company.” During the recent RSA conference in Singapore, RSA’s CTO, Dr. Zulfikar Ramzan, described several different C-level executives who could have direct responsibility for some portion of your security infrastructure: CEO, CIO, CSO (or CISO), CTO, and the Chief Data Officer (CDO). If three is a crowd, then this is a herd. Or maybe a pod, I never really learned those plural descriptors. And that is just the top management layer: for a large corporation, there could be dozens of middle managers that handle the various security components.
From the IT folks I have interviewed over the years, this seems sadly all too typical. And that is a major problem, because it is easy to pass the buck (or the token or packet) from one department to the next.
You can read my blog post for RSA here about how to try to collaborate and jointly own your security apparatus.