GDPR: Who is responsible for what?

The EU General Data Protection Regulation (GDPR) and the Network Information Security (NIS) directive are already causing a flurry of activity among businesses. Who is ultimately responsible for cybersecurity seems to be attracting particularly intense discussion. According to a recent study by Palo Alto Networks, cybersecurity is usually the responsibility of CIOs in 50% of companies compared to 30% of CISOs. This is a surprising finding, especially considering that the role of Chief Information Security Officer implies this task. Whether this changes is probably more of a political rather than technical matter. At least around 30 percent of respondents believe that the CISO or CSO should be responsible for cybersecurity.  The current situation points to long established and seldom adapted rituals in the distribution of responsibility within companies. Overseeing cybersecurity often comes with a caveat – anyone in this role must accept that they will often have to communicate incidents internally at the board level and increasingly to external stakeholders in light of changes introduced by the GDPR and NIS. This can quickly turn nasty, especially if an incident was caused by an employee under the CISO’s management or in the worst case even by a company director.

For a significant proportion of IT security managers, the prospect of even more regular and drawn out board involvement generally does not attract much enthusiasm, as the Palo Alto Networks study revealed. In the UK and Germany, the number of respondents skeptical of management involvement was particularly high at 56% and 53%. Although an almost equal share of respondents found the involvement of management to be good, one-third saw the increased interest of management in particular as a hindrance. It depends on how well top-level executives understand the role, potential, and limits of IT security. Many IT security managers were pleased with the opportunities offered by the GDPR and NIS. No organization will be able to ignore evaluating their IT security policy against the new directives and this will bring an opportunity to address and raise awareness of long-neglected aspects of IT security. Presenting IT security at the board level is an art form in which many IT managers have improved considerably.

The authors of the study actually use the term "translation". C-level executives usually think in business-related terms. This means IT security managers must express the costs and the consequences of incidents in business terms. This is how managers understand what is at stake and can either release resources or accept the risks and consequences. Translating IT security into business terms also makes it easier for both sides to define acceptable risks. The upcoming discussions should also be used to revisit areas of policy which need updating. Aspects which were considered compliant two years ago can become obsolete and inadequate within a year. GDPR and NIS are important directives for current compliance policy and companies who wish to remain compliant must follow these directives.

Despite all the challenges, both current and emerging, nearly two-thirds of cybersecurity professionals believe that a security incident should be seen as a way to learn from mistakes and refine security measures. Now if that is not good news.