This is the second installment in a three-part series about data risk management. For the full story, be sure to read part 1 and part 3.

High-profile cyberattacks and data breaches shine a spotlight on an infrequently discussed organizational issue: Who is ultimately responsible for the security of mission-critical data within the enterprise?

All too often, this question is examined in the heat of post-incident response to determine who should be taken to task. Who loses his or her job for failing to protect sensitive information in the event of a massive breach? Is it the chief data officer (CDO), chief information officer (CIO), chief security officer (CSO), chief risk officer (CRO) or chief executive officer (CEO)?

Who Is Responsible for Data Risk Management?

By taking a more proactive approach to determining who should actually hold most of the responsibility and how that responsibility is divided before a data breach occurs, the C-suite can help avoid catastrophic breaches in the first place. Any such examination requires participants to agree on and understand the following:

  • Who owns the organization’s critical data/crown jewels?
  • Who knows where that critical data resides?
  • Who manages the security of that critical data?
  • Who decides what data is considered critical versus what data is deemed noncritical?
  • Who is accountable if the data is exposed?

By clearly defining lines of responsibility, it’s possible to enhance organizational processes and procedures that reinforce critical data protection. Although it’s not easy to discover all the different players who handle or are otherwise responsible for critical data, organizations can bring a greater level of accountability to those involved by identifying the players who have custodianship or a hand in accessing and processing that data. A holistic picture that provides answers to the above questions can help C-level executives cut through the complexity to better focus on managing critical data risk.

Why Is Critical Data so Hard to Defend?

For many organizations, targeted risk management will require a significant change in their current processes. It’s not uncommon for executives to assign line-of-business (LOB) managers the task of determining the acceptable risk level. Without a big-picture view of critical data risk, however, the risk is equated with not meeting financial or other business objectives rather than avoiding data threats. Spreading the task of managing data risk across multiple units, departments and stakeholders means there is no clear line of accountability.

The diffusion of responsibility for managing data risk also makes it impossible for the chief information security officer (CISO) and his or her team to prioritize securing the organization’s crown jewels. Few cross-organizational security teams actually know where the most critical data is located, and they often lack a complete understanding of what data would do the most damage if it were compromised. Without that insight, security teams have to treat all digital assets equally, essentially taking a boil-the-ocean approach to data protection.

Data Risk Management Is a Team Effort

By answering the questions listed above, organizations can determine who owns the most critical data. They can then team those data owners with IT security practitioners to prioritize protection. Data owners can take responsibility for creating the policies for what the data risk level should be and to what extent data should be protected. The CISO’s team can then take responsibility for the technical implementation and communication of these data security and privacy policies. Sharing that context allows the security team to understand what it is protecting and begin the process of prioritizing discovery, classification, hardening and monitoring mission-critical data.

Finally, the entire C-suite must be able to track the status of data risk via analytics that explain it in the context of the organization’s business objectives. Data risk management should be a proactive engagement for all members of the C-suite. But at the end of the day, it’s the CEO who should take ultimate responsibility.

Read the white paper: Data Risk Management in 2018

More from Data Protection

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

3 proven use cases for AI in preventative cybersecurity

3 min read - IBM’s Cost of a Data Breach Report 2024 highlights a ground-breaking finding: The application of AI-powered automation in prevention has saved organizations an average of $2.2 million.Enterprises have been using AI for years in detection, investigation and response. However, as attack surfaces expand, security leaders must adopt a more proactive stance.Here are three ways how AI is helping to make that possible:1. Attack surface management: Proactive defense with AIIncreased complexity and interconnectedness are a growing headache for security teams, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today