Cover Story: Who holds cyber accountability and responsibility?

Earlier in the year, Digital Nation held its first 'Digital as Usual' event for 2024, bringing together board members, cyber security experts and C-suite level players to discuss various angles of the cyber experience across an organisation. 

This chapter focussed on accountability and responsibility, exploring roles and duties across an organisation and posing the question - who is ultimately accountable? 

Board accountability

Leah Fricke, a non-executive director with experience as a senior executive in both the private and public sector said responsibility needs a multi-layered approach.

“Within an organisation, I think there's no necessarily right or wrong around who has what responsibility in my view,” Fricke said. 

“The importance is making sure that you've got the right skill sets, the right processes and that it's clearly mapped who is doing what and how. The outcome that the organisation want is going to be achieved. 

“In that process, the role of the board generally is in asking the questions that get to the heart of the issues.”

Directors also recognise outsourcing may change certain liabilities, however accountability for consequences of cyber breaches, ultimately rests with the board and leadership, Fricke explained.

“No leadership team and no board can get away from ultimate accountability for the potentially negative outcomes of some form of cyber breach.”

Fricke said organisations can draw upon established risk culture and methodologies to help boost cybersecurity awareness.

When creating a culture of security awareness, both a company’s employees, including outsourced efforts, work in that conversation.

Individual accountability also has a role to play according to Fricke, stating each member should take into account their actions as “thinking about it after the event is too late.” 

Role of the CISO

Steve McCormick, NCS Australia CISO and chief customer architect said, “The role of the CISO extends beyond a focus solely on IT technology to encompass a holistic consideration of the entire business landscape, including processes, commercial aspects, client relationships, and go-to-market strategies.” 

The CISO is accountable to top management, the CEO or the board for developing, operationalising and continually improving an information security management system to control the cyber risk position, according to McCormick.

“Recent reports in Australia indicate that cyber uplift ranks as the top investment over the next two years. However, this concern often dissipates as it cascades down through the organisation,” he explained. 

Much like Fricke, McCormick said it’s “crucial” to recognise and accept that cyber risk management is a shared responsibility across multiple departments and individuals. 

Outlining a “clarity and effectiveness” information security management system (ISMS), “is critical” as this articulates policies and procedures for systematically managing an organisation's sensitive data.

Its everyone’s problem

Following with similar views, Chris Noone, CEO of Carly Car Subscription said a whole of business approach is needed when it comes to cyber responsibility.

“Certain parts of the business can't divorce themselves from those aspects and just say that it's someone else's problem because cyber security goes right across the whole business.”

“It needs to be part of the job description of everyone, both in C-suite, but also lower down in the organisation and certainly at the board level as well.”

Claudine Ogilvie, CEO and founder of HivePix said, “Effectively safeguarding an organisation from cyber-crime requires a coordinated effort from top leadership, shared responsibilities and clear accountability.”

According to Ogilvie, some specific regulatory frameworks and accountabilities must be addressed at a board and executive level alongside a “robust cyber security strategy” and an “engaged external eco-system they address risk, resilience and reputation.” 

“When we consider the role of accountabilities in a strong cyber posture, a key to effective outcomes is alignment and culture. 

“Implementing effective technical controls is challenging enough, however, their effectiveness is heavily influenced by how teams in all parts of the business prioritise their responsibilities, how well they are engaged and trained in what their responsibilities are and if they have the tools and skills to effectively carry them out,” Ogilvie said. 

Fricke also discussed the emergence of new technology reshaping the market, businesses are now placed in an uncertain situation “around responsibility, accountability and communication channels and who will respond. 

“Some of that is because historically we've not necessarily set up our outsourcing relationships with all of that in mind and then there's a clarity in contractual provision. 

“Are we clear to the extent that there's a contract between two parties on how those two parties will work together? Sometimes when there's clarity around liability and responsibility, the capacity for people to work collaboratively to achieve an outcome can be impacted by the perception of who's legally responsible and who will suffer the economic loss.”

Ensuring documentation is up-to-date can be a “potentially an enormous project” already, Fricke added. 

Ogilvie also addressed this stating “Beyond the immediate structures of the organisation, boards and executives need to address security risks in the supply chain and with third-party suppliers. Risk accountabilities cannot be delegated to a third party.”

When an incident does occur, Noone said it's important for organisations to remember that no two incidences will be the same when it comes to breaches.

Roles in a crisis

When an event occurs, despite each player across an organisation carrying out set duties it's still important to remember that “incidents never follow a script and they're always very different.”

“You might war game certain scenarios. You might plan for many more scenarios. But the one thing that's probably guaranteed is if an incident does occur, it may follow a different scenario to what you've thought of as well.”

Noone highlighted the importance of communication channels to establish when dealing with “out-of-the-box issues that evolve.”

“If you look at some of the recent larger cyber incidents in Australia with large, well-known companies’ things happen that they didn't expect. 

“They couldn't even communicate with each other in some cases, so you've got to think quite creatively,” Noone said. 

McCormick said, “It is now widely acknowledged that every organisation has experienced or will experience a breach.”

“It is increasingly recognised that achieving a level of zero risk is neither economically nor technologically achievable.”

McCormick said while people and systems are involved, “errors are inevitable” requiring risk management. 

“Adding to this challenge is the rapidly changing landscape of cybersecurity threats and risks, which evolve at a pace faster than any other aspect of business and technology,” McCormick said. 

As part of overall responsibility and accountability, Noone explained it's important to implement learnings once an incident has passed.

Noone added blame is not a useful tool post-incident but rather “it's a matter of understanding how the processes were insufficient and how that those risks are mitigated in the future. 

Organisations can also face the fallout from breaches and other companies, leading to the need to stay alert to external issues, Noone added. 

“We keep a pretty close eye on what is happening externally to us and we share a lot of that information right across the business with the larger hacks that have occurred recently. We've challenged ourselves to say, are we exposed to the same sort of issue?

“It's very important for us to understand both the risks in our own organisation, but what risks have also been created by other companies who have allowed personal data to be released onto the web.”