Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Who 'owns' an investigation into a security breach?

Taylor Armerding | March 3, 2015
Experts agree that ownership of an investigation depends on what happened, but an advisory council says no matter who owns it, it needs ‘Unified Risk Oversight’ to be effective.

Kim Jones, senior vice president and CSO at Vantiv, said investigations typically fall to, "the CSO, CISO, audit, HR, legal, ethics, and finance."

But that, he said, still leaves plenty of opportunity for investigations to become fragmented, with negative consequences.

"It is not unusual for organizations to silo investigations within their bailiwick with minimal coordination," he said. "As organizations mature, this can lead to investigative activities stepping on one another, but more often it leads to investigative actions failing to occur."

So he agrees with the SEC that "pulling together" the departments that have an investigative role is a good thing, using what he called, "the RACI (responsible, accountable, consulted, informed) matrix for each function in each type of investigation. Figuring out who does what -- and when -- is essential to ensuring that things don't fall through the cracks," he said.

The SEC said the CSO may not "own" all investigations, but that especially in situations where, "many functions claim responsibility for investigations, the role of the security executive can be to facilitate role definition, organizational responsibility, and priorities."

Jones agreed that the CSO/CISO, "in many cases can and should be the catalyst for these kinds of discussion. Often investigations require access to data that exists within the security tools or that only security personnel have access to."

He added that determining who owns the investigation just takes some logic. "If we defined the investigative types, and the RACI, we also define which organizations can call for an investigation and who owns the investigation," he said.

But he is emphatic that the CSO should not always oversee them. "There are things that for good order and good business, the CSO has no business knowing within the organization until a certain time," he said.

"Gathering the data from the network to make those determinations and potentially analyzing the data for appropriate indicators? Yeah, that probably should be within my wheelhouse due to skills, tools etc.," he said. "But that is different from overseeing an investigative effort."

The SEC's Kathleen Kotwica said while it is important to define those who will lead and support an investigation, URO is not, "just about a 'team.' It's a process to effectively manage different risks across the enterprise and at the same time determine how to apply company resources so that the process is not prohibitively expensive."

The URO process, she said, is to make sure that all key stakeholders are involved, that their responsibilities are clearly defined and that somebody is in charge of overseeing their efforts.

Even if the right structure is in place, however, it takes planning and practice to get it right.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.