How Many C-Levels Does It Take to Securely Manage Regulated Data?

Managing regulated data is increasingly a nightmare task. The number of attacks and leaks are up and so are associated costs and penalties. The situation is so dire that the call to make everyone responsible for data security became a universal mantra. Of course, when everyone is responsible usually no one is accountable so that idea flops fast. The question of what to do now to cope and comply is burning a circuit in the C-suite.

Meanwhile, older regulations are tightening, and newer ones are popping up around the globe -- and all of them come with stiffer penalties. According to Rubrik Zero Labs data, more than half (54%) of all external organizations experienced a material loss of sensitive information in the last year. It’s probably a safe bet that the actual number is even higher given many incidences remain undetected or unreported.

According to a recent study by Keeper Security, “40% of organizations experienced a cybersecurity incident, yet 48% of those did not disclose the incidents to the appropriate authorities.” Shockingly, 41% said that cyberattacks were not disclosed to internal leadership. Fudging the reports to soften the blow does nothing to ease the minds of C-level executives, however.

“I’ve seen a notable shift in the last few years to more C-suite and board leaders becoming active participants in cybersecurity conversations,” says Brent Johnson, CISO at Bluefin. “This was accelerated by the rapid transition to remote and hybrid work along with daily headlines, and coupled with mounting pressure to maintain regulatory compliance, securely managing data is no longer a concern just for CISOs.”

Related:The Ever-Expanding List of C-Level Technology Positions

This is a bit of a remix of that old favorite song “everyone is responsible, but no one is accountable” for securely managing the data. Is there a smart way to break free from circular thinking and find a recipe with the perfect blend of executive involvement?

Balancing Chefs and Cooks

While there’s much to be said in defense of a single person having the ultimate say and responsibility, the job may be too big for anyone to succeed.

“It would be a mistake to assume that data security is something that the CIO can manage by herself, or the chief legal officer can mitigate by himself; just as cost discipline and profitability is not merely the job of the CFO, nor is brand-building merely the job of the CMO. These are enterprise priorities that require cross-functional leadership to be successful,” says Maurice Uenuma, VP & GM, Americas at Blancco.

But putting more than one person in charge creates problems, too.

Related:CIOs in 2023: Guiding Business Strategies Through Data-Driven Decisions

“Having two or more executives lead the charge may cause more roadblocks and dueling priorities. As Grandpa always said, ‘If you have two good quarterbacks, it means you don’t have a starting quarterback,’” says Steve Stone, head of Rubrik Zero Labs.

And no one knows how well any given quarterback can cook up a serious defense play for data.

The ‘Many Eyes’ Approach to Watching Pots Boil Over

Theoretically at least, the more eyes on regulated data, the safer it remains. The plan here is for everyone to take a look, presumably while hoping it’s true that a watched pot never boils over.

“Traditionally, the responsibility for protecting sensitive information fell mostly on the CIO, CTO, CISO and CRO (chief risk officer),” says Erik Gaston, CIO of endpoint security company Tanium. While these traditional roles have been historically critical for setting the standards and properly leading teams around sensitive data management, it is becoming ever more important for the business to take an active role in this space and partner with the technology executives as well,” he says.

But in some industries, there’s even more eyes from more business heads focused on securing regulated data.

“We have seen new roles emerge in many regulated companies because of this, especially in banks. Some of these roles include the BISO (business information security officer) and CDO (chief data officer) and the like. The partnership between the business, technology and operations is critical to ensure that we have the correct sets of eyes on the data and are keeping sensitive customer data secure and compliant at all times,” Gaston says.

Related:Sign Up for InformationWeek's New Cyber Resilience Newsletter

This approach can lead to everyone looking and few, if anyone, doing the cooking, or it can lead to far too many cooks in the kitchen. Either outcome is not terribly effective.

Seasoning the Recipe for Success

Perhaps counting chefs and cooks is not the right approach to perfecting a recipe for success.

“It’s not how many cooks are in the kitchen; it’s about knowing what the heck we’re even cooking,” says Igor Volovich, VP of compliance strategy for cyber compliance automation firm Qmulos. “Most of the time, it’s a free-for-all, each chef for themselves, whipping up their own specialty recipes, with little common culinary theme, at least when it comes to security and risk, while the CISO walks around like a bothersome health inspector, trying to make sure the ingredients aren’t spoiled and everyone’s washing their hands.”

If all eyes are on the recipe’s ingredients, then we’re really cooking up some solid security. CISOs can direct these activities in many meaningful ways.

“For example, while a CFO doesn’t need to be directly involved in managing regulated data, CISOs can ensure the CFO’s buy-in by tying security technologies and tools to specific business outcomes. When preventing data breaches and meeting compliance can mean saving millions of dollars in financial losses, we’ll continue to see more cross-functional collaboration on cybersecurity issues. CISOs should remain at the forefront of these conversations to advocate for the policies and investments needed to maintain robust cyber defenses,” Johnson says.

But variations on the recipe work, too.

“CIOs should take a comprehensive approach by not only partnering with the CFO, but also including traditionally uninvolved C-suite members, including the CTO and the CMO,” says Mark Angle, chief cloud operations officer for OneStream Software. “This strategy enables C-suite leaders to collaborate with the CIO and CTO to make critical decisions -- just as they would on any other matter that might pose a risk to the company.”

“This strategy also frees up the CEO who needs only to intervene in critical situations. Clear communication between the CIO and CFO fosters a unified data strategy, mitigating risk and preventing the overwhelming presence of too many cooks in the kitchen,” Angle adds.