The proper definition and assignment of information security roles and responsibilities has always been a key principle of information security governance. In fact, every major information security and data privacy regulation requires that the organization document roles and responsibilities.
Despite being such a core governance requirement, in practice many organizations are still behind in compliance. As recently as May 2012, a report entitled Governance of Enterprise Security published by CyLab (the cyber-security research arm of Carnegie Mellon University) shows that a majority of companies (66%) have seldom or never had their board review and approve roles & responsibilities of lead personnel responsible for privacy & IT security.
In fact, according to the CyLab report, less than two-thirds of the Forbes Global 2000 companies surveyed have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards.
Information Shield’s 2011 Information Security and Data Privacy Staffing Survey shows similar results. The survey indicated that only half (51%) of organizations report having appointed a Chief Information Security Officer (CISO) or equivalent position, while only 30% reporting have a Chief Privacy Officer (CPO) or equivalent position. While these numbers have been increasing for some time, they still represent a major gap between governance requirements and reality in many organizations.
There are many reasons why adoption is lacking. As Charles Cresson Wood discussed in Information Security Roles and Responsibilities Made Easy, one of the key misconceptions is that the scope of information security roles and responsibilities is confined to the Information Security Department. In fact, the information security function has become a multifaceted, cross-department team effort involving everyone in the organization.
Management, Governance and Visibility
One of the by-products of poorly defined information security roles and responsibilities is that critical information never makes it so senior management. Without a formalized accountability and reporting structure, management is often left in the dark regarding the true risks to the organization. This leads to an overall disconnect between the Board and other senior managers with regard to information security risks.
The CyLab report confirms this by stating: “One of the most important advance findings of the CyLab 2012 Governance survey is that boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets.“
In fact, the top-two recommendations from the report to help increase management visibility were to (1) Create top-down approach with consistent information security policies, and (2) Review roles and responsibilities for privacy and security and ensure they are assigned to qualified, full-time senior level professionals and that risk and accountability are shared throughout the organization.
Real Returns – Data Breach Cost Reduction
Data from the research field is starting to confirm what is implied in most data protection laws: Having a defined senior manage responsible for information security and data privacy is truly effective.
2011 Cost of Data Breach Study sponsored by Symantec and the Ponemon Institute show that having an appointed CISO with overall responsibility for enterprise data protection is the single greatest factor for reducing the cost of a data breach.
If the organization has a CISO with overall responsibility for enterprise data protection the average cost of a data breach can be reduced as much as $80 per compromised record. This was roughly a 30% average savings per record. Withe the average breach cost now at nearly $3.1 million per breach, these savings can be significant. The other key factor dramatically reducing breach costs was the use of outside consultants. Outside consultants assisting with the breach response can save as much as $41 per record (16%). And yet, organizations should not outsource key information security that they don’t already have defined and documented within their own programs.
The cost savings are extending when each member of the organization becomes aware of their information security roles and responsibilities through proper awareness and training. In fact, the 2011 Cost of Data Breach Study shows that for the first time, mistakes from insiders were the leading cause of data breaches, surpassing external attacks.
Defining Information Security Roles and Responsibilities
Information Security Roles and Responsibilities Made Easy (ISRRME) was designed to help organizations properly develop this key pillar of information security governance. Among the key features are pre-written information security-related job descriptions for 40 different job roles. Also included are 20 different department mission statements linking various departments to their roles within the enterprise data protection landscape. Using these professionally-made templates can save organizations hundreds of hours in development while leveraging the experience of nearly 100 other organizations.