This is the second installment in a three-part series about data risk management. For the full story, be sure to read part 1 and part 3.

High-profile cyberattacks and data breaches shine a spotlight on an infrequently discussed organizational issue: Who is ultimately responsible for the security of mission-critical data within the enterprise?

All too often, this question is examined in the heat of post-incident response to determine who should be taken to task. Who loses his or her job for failing to protect sensitive information in the event of a massive breach? Is it the chief data officer (CDO), chief information officer (CIO), chief security officer (CSO), chief risk officer (CRO) or chief executive officer (CEO)?

Who Is Responsible for Data Risk Management?

By taking a more proactive approach to determining who should actually hold most of the responsibility and how that responsibility is divided before a data breach occurs, the C-suite can help avoid catastrophic breaches in the first place. Any such examination requires participants to agree on and understand the following:

  • Who owns the organization’s critical data/crown jewels?
  • Who knows where that critical data resides?
  • Who manages the security of that critical data?
  • Who decides what data is considered critical versus what data is deemed noncritical?
  • Who is accountable if the data is exposed?

By clearly defining lines of responsibility, it’s possible to enhance organizational processes and procedures that reinforce critical data protection. Although it’s not easy to discover all the different players who handle or are otherwise responsible for critical data, organizations can bring a greater level of accountability to those involved by identifying the players who have custodianship or a hand in accessing and processing that data. A holistic picture that provides answers to the above questions can help C-level executives cut through the complexity to better focus on managing critical data risk.

Why Is Critical Data so Hard to Defend?

For many organizations, targeted risk management will require a significant change in their current processes. It’s not uncommon for executives to assign line-of-business (LOB) managers the task of determining the acceptable risk level. Without a big-picture view of critical data risk, however, the risk is equated with not meeting financial or other business objectives rather than avoiding data threats. Spreading the task of managing data risk across multiple units, departments and stakeholders means there is no clear line of accountability.

The diffusion of responsibility for managing data risk also makes it impossible for the chief information security officer (CISO) and his or her team to prioritize securing the organization’s crown jewels. Few cross-organizational security teams actually know where the most critical data is located, and they often lack a complete understanding of what data would do the most damage if it were compromised. Without that insight, security teams have to treat all digital assets equally, essentially taking a boil-the-ocean approach to data protection.

Data Risk Management Is a Team Effort

By answering the questions listed above, organizations can determine who owns the most critical data. They can then team those data owners with IT security practitioners to prioritize protection. Data owners can take responsibility for creating the policies for what the data risk level should be and to what extent data should be protected. The CISO’s team can then take responsibility for the technical implementation and communication of these data security and privacy policies. Sharing that context allows the security team to understand what it is protecting and begin the process of prioritizing discovery, classification, hardening and monitoring mission-critical data.

Finally, the entire C-suite must be able to track the status of data risk via analytics that explain it in the context of the organization’s business objectives. Data risk management should be a proactive engagement for all members of the C-suite. But at the end of the day, it’s the CEO who should take ultimate responsibility.

Read the white paper: Data Risk Management in 2018

More from CISO

What CISOs Should Know About CIRCIA Incident Reporting

In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…