How Many C-Levels Does It Take to Securely Manage Regulated Data?
It may sound like a joke, but no one is laughing at the astronomical costs in failing at this.
Managing regulated data is increasingly a nightmare task. The number of attacks and leaks are up and so are associated costs and penalties. The situation is so dire that the call to make everyone responsible for data security became a universal mantra. Of course, when everyone is responsible usually no one is accountable so that idea flops fast. The question of what to do now to cope and comply is burning a circuit in the C-suite.
Meanwhile, older regulations are tightening, and newer ones are popping up around the globe -- and all of them come with stiffer penalties. According to Rubrik Zero Labs data, more than half (54%) of all external organizations experienced a material loss of sensitive information in the last year. It’s probably a safe bet that the actual number is even higher given many incidences remain undetected or unreported.
According to a recent study by Keeper Security, “40% of organizations experienced a cybersecurity incident, yet 48% of those did not disclose the incidents to the appropriate authorities.” Shockingly, 41% said that cyberattacks were not disclosed to internal leadership. Fudging the reports to soften the blow does nothing to ease the minds of C-level executives, however.
“I’ve seen a notable shift in the last few years to more C-suite and board leaders becoming active participants in cybersecurity conversations,” says Brent Johnson, CISO at Bluefin. “This was accelerated by the rapid transition to remote and hybrid work along with daily headlines, and coupled with mounting pressure to maintain regulatory compliance, securely managing data is no longer a concern just for CISOs.”
This is a bit of a remix of that old favorite song “everyone is responsible, but no one is accountable” for securely managing the data. Is there a smart way to break free from circular thinking and find a recipe with the perfect blend of executive involvement?
Balancing Chefs and Cooks
While there’s much to be said in defense of a single person having the ultimate say and responsibility, the job may be too big for anyone to succeed.
“It would be a mistake to assume that data security is something that the CIO can manage by herself, or the chief legal officer can mitigate by himself; just as cost discipline and profitability is not merely the job of the CFO, nor is brand-building merely the job of the CMO. These are enterprise priorities that require cross-functional leadership to be successful,” says Maurice Uenuma, VP & GM, Americas at Blancco.
But putting more than one person in charge creates problems, too.
“Having two or more executives lead the charge may cause more roadblocks and dueling priorities. As Grandpa always said, ‘If you have two good quarterbacks, it means you don’t have a starting quarterback,’” says Steve Stone, head of Rubrik Zero Labs.
And no one knows how well any given quarterback can cook up a serious defense play for data.