This is the second installment in a three-part series about data risk management. For the full story, be sure to read part 1 and part 3.

High-profile cyberattacks and data breaches shine a spotlight on an infrequently discussed organizational issue: Who is ultimately responsible for the security of mission-critical data within the enterprise?

All too often, this question is examined in the heat of post-incident response to determine who should be taken to task. Who loses his or her job for failing to protect sensitive information in the event of a massive breach? Is it the chief data officer (CDO), chief information officer (CIO), chief security officer (CSO), chief risk officer (CRO) or chief executive officer (CEO)?

Who Is Responsible for Data Risk Management?

By taking a more proactive approach to determining who should actually hold most of the responsibility and how that responsibility is divided before a data breach occurs, the C-suite can help avoid catastrophic breaches in the first place. Any such examination requires participants to agree on and understand the following:

  • Who owns the organization’s critical data/crown jewels?
  • Who knows where that critical data resides?
  • Who manages the security of that critical data?
  • Who decides what data is considered critical versus what data is deemed noncritical?
  • Who is accountable if the data is exposed?

By clearly defining lines of responsibility, it’s possible to enhance organizational processes and procedures that reinforce critical data protection. Although it’s not easy to discover all the different players who handle or are otherwise responsible for critical data, organizations can bring a greater level of accountability to those involved by identifying the players who have custodianship or a hand in accessing and processing that data. A holistic picture that provides answers to the above questions can help C-level executives cut through the complexity to better focus on managing critical data risk.

Why Is Critical Data so Hard to Defend?

For many organizations, targeted risk management will require a significant change in their current processes. It’s not uncommon for executives to assign line-of-business (LOB) managers the task of determining the acceptable risk level. Without a big-picture view of critical data risk, however, the risk is equated with not meeting financial or other business objectives rather than avoiding data threats. Spreading the task of managing data risk across multiple units, departments and stakeholders means there is no clear line of accountability.

The diffusion of responsibility for managing data risk also makes it impossible for the chief information security officer (CISO) and his or her team to prioritize securing the organization’s crown jewels. Few cross-organizational security teams actually know where the most critical data is located, and they often lack a complete understanding of what data would do the most damage if it were compromised. Without that insight, security teams have to treat all digital assets equally, essentially taking a boil-the-ocean approach to data protection.

Data Risk Management Is a Team Effort

By answering the questions listed above, organizations can determine who owns the most critical data. They can then team those data owners with IT security practitioners to prioritize protection. Data owners can take responsibility for creating the policies for what the data risk level should be and to what extent data should be protected. The CISO’s team can then take responsibility for the technical implementation and communication of these data security and privacy policies. Sharing that context allows the security team to understand what it is protecting and begin the process of prioritizing discovery, classification, hardening and monitoring mission-critical data.

Finally, the entire C-suite must be able to track the status of data risk via analytics that explain it in the context of the organization’s business objectives. Data risk management should be a proactive engagement for all members of the C-suite. But at the end of the day, it’s the CEO who should take ultimate responsibility.

Read the white paper: Data Risk Management in 2018

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today