Tommi - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

C-level unclear on governance, risk and compliance responsibility

A new survey uncovered confusion in the C-suite about governance, risk and compliance responsibilities and which security compliance requirements may affect companies.

A new survey highlighted potential confusion in the C-suite regarding how governance, risk and compliance affects companies and who is responsible for security compliance issues.

The survey conducted by cloud and data management company Liaison Technologies asked 479 senior and C-level executives from mid- and large-sized companies across the U.S. about information security and privacy obligations, and the results surprised experts.

Liaison found 47% of executives asked were unsure what data compliance standards applied to their organizations, and only 3% said Payment Card Industry Data Security Standard compliance applied to their companies.

Chris Pogue, CISO at Nuix, based in Sydney, said, before seeing this data, he thought "most C-level executives [were] aware of which governance, risk and compliance regimes they are beholden to," and he was very surprised by the results of the survey. 

"While there is logically no or little expectation that these executives will understand the nuances of the governance, risk and compliance régimes that apply to their respective organizations, you would think that they would at least have some idea of which ones they are beholden to," Pogue told SearchSecurity via email. "Compliance to these régimes not only ensures that the organization is in proper standing with government- and industry-regulating bodies, but it also can have a direct nexus to violations, fines and litigation -- all of which can cost the company millions of dollars in lost revenue, contribute to loss of market share and even serve as a catalyst of shareholder derivative lawsuits. Failure to even understand where your organizations responsibilities lie, in my opinion, reeks of willful blindness."

Travis Rosiek, CTO at Tychon LLC in Fairfax, Va., said executives need to be aware of compliance, because "a breach could cause grave damage to the company's bottom line and reputation." 

"If the C-level isn't involved or doesn't have visibility into these gaps, then they won't know where to make the appropriate investments to minimize risk. However, it is important to note that compliance standards don't adapt fast enough to keep up with the dynamic threat, and achieving compliance should only be a portion of their strategy, and not their end goal," Rosiek said. "Leveraging capabilities that help provide a consolidated view for both IT and security in near-real-time are invaluable for C-level execs to get the visibility that they definitely need."

The survey found 25% of respondents were unsure who is principally responsible for information security and privacy at their organizations, while 30% said it would be the CEO's responsibility and 17% chose the chief security, risk or compliance officer.

Jonathan Nguyen-Duy, vice president of strategic programs at Fortinet Inc., based in Sunnyvale, Calif., attributed this uncertainty regarding governance, risk and compliance in part to the C-level structure at midsize businesses.

"Many midsize privately held companies have limited security awareness, as they may not have a CSO and are not exposed to shareholder class-action lawsuits," Nguyen-Duy told SearchSecurity. "The board and the C-suite are responsible for three separate but interconnected elements of an organization: the business itself, customer data and shareholder interests. When it comes to security, though, the traditional stewards of the organization are not always equipped with the necessary perspective, skills or knowledge. The wrong focus can, in fact, create a perfect storm of imperfect stewardship, in which security is viewed as a cost center, rather than an essential element of risk management."

Rosiek said, "Everyone should be responsible, including all suppliers and partners, as an organization is only as strong as their weakest link." 

"I think that it is important for C-level execs to lead by example; in many cases, I've seen executives not follow good security practices for various reasons, which impact the whole organization," Rosiek said. "What they don't realize is they are sending a message to the rest of the company that security and privacy [aren't] a corporate priority."

Simon Crosby, co-founder and CTO at Bromium, based in Cupertino, Calif., said every enterprise needs to have a CISO to oversee governance, risk and compliance.

"Most large organizations have taken this step, but it's challenging for smaller orgs to find resources and hire skilled security professionals," Crosby told SearchSecurity. "Responsibility lands with the CFO or CEO, but if there is no CISO, then an organization should seek a managed service provider that can ensure that the appropriate organizational and operational security is in place."

Liaison also said personal responsibility may be underestimated by the C-suite, because 85% of respondents didn't believe their job security would be at risk if there were a security compliance issue.

Pogue said this question of the survey may have been overly broad.

"Such a broad statement could encompass everything, from gross negligence and willful blindness to a simple oversight or interpretation of a reasonable compensating control. I think in matters of negligence, willful blindness or dishonesty, the executive should absolutely be held responsible, as failure in these areas represent a breakdown in integrity -- something that security professionals need to ensure remains beyond reproach," Pogue said. "However, if there is a failure based on the interpretation of a compensating control or a technical oversight, then the situation should certainly be used as a learning experience, but not necessarily treated as a terminating offense."

Crosby said executives "absolutely" should be at risk of losing their jobs in these situations. "Security needs to be a fundamental promise of businesses. Customers should reject companies that do a bad job at protecting their data, and consumers should abandon organizations that don't protect them," he said. "Compliance does not mean security. We need to demand security, and compliance is a minimum level of assurance that the company is being responsible."

Pogue said, ultimately, the buck must stop with the C-suite. 

"You are officers of the company, and upon your shoulders rests not only the success of your respective organizations, but the well-being and financial stability of your employees," Pogue said. "If you are not going to stand up and accept the mantle of leadership by acknowledging your ultimate responsibility for the company and its collective actions -- or inactions, as the case seems to be -- who is?"

Next Steps

Learn more about cloud computing governance, risk and compliance.

Find out why proactive governance, risk and compliance strategies are needed when accelerating application development.

Get info on how Trump's transition team is looking to dismantle Dodd-Frank.

Dig Deeper on Information security policies, procedures and guidelines