Polls, who doesn't like them? There are plenty of topics and questions that keep us busy on a daily basis. But we don't always know how to answer them easily. This certainly applies to a broad field such as data security. In that case, it may be useful to include opinions from different perspectives. On the one hand to start interesting discussions, on the other hand to gain more knowledge on that specific topic.
That's why we started a poll on LinkedIn last week. According to the latest numbers from DLA Piper, the number of data leaks in Europe since the introduction of the GDPR is still too high. We found that interesting enough to get into more detail. Because, who is actually responsible for a data leak? We have presented this question to various professionals working in the field of data security.
And guess what?
The vast majority of the participants chose the Chief Information Security Officer (CISO) / Data Protection Officer (DPO):
That may make sense to many. A simple internet search tells us that these functions "are responsible for the decision to do or not do something and the consequences" (source: Dutch government). This would therefore mean that if a data leaks occurs, these persons within the organization are held responsible.
Nevertheless, this issue appears to be more complex. Because does one or a few people have to be pointed out, if technically anyone in the organization could cause a data leak? After the CISO and DPO, many (33%) also thought that Management could be designated as ultimately responsible. One of the respondents indicated: “Management is ultimately responsible for a data leak. SOX state that management is responsible for implementing controls (such as awareness) to mitigate risk (such as data leak) that could impacts business operations and financial reporting.”
While many take a position where one person or a select few is responsible, many also think otherwise.
Maybe it's not that simple yet. Everyone within the organization needs to take ownership. Not only do you share successes, but also losses. “Everyone contributes” - be it positive or negative.
Another respondent sees it that way too: “Everyone in the organization is responsible. It takes every single person to make sure they know the risks and that they know they are responsible for understanding the policies, standards and procedures related to their job. Security needs to be integrated into every task. A simple Operational Risk Management (ORM) process can be run through your head at every point in your workflow:
1. "If I click on this email, what are the outcomes?" This is ORM.
2. "If I transfer this file to a USB drive, what could happen?" This is ORM.
3. "If I open this inbound port on the firewall, what risk does it pose the rest of the network?" This is ORM.
All employees need to take a second and ask “What if?” before you do anything on your work computer or network. It only takes a few seconds but could save so much in the end. To that end, I say, Security Awareness needs to be at the top of any corporations to do list. Lead from the top by showing them how important security is to the C suite and the rest of the organization will follow.”
So, should we point to one person when it comes to a person responsible in this matter?
This poll found that the CISO and DPO were put forward as being responsible. Yet there are also plenty of people who think otherwise. Preventing data leaks is something we do together, which we together have in our own hands.
Instead of looking at who is responsible, we should look at how we can prevent a data leaks from happening in the first place. By starting small and training our employees, we are one step closer when it comes to the security of our data!