Why the CEO Stands Alone After a Breach

As part of our “C-Suite Accountability” theme, we explore why holding senior executives accountable is a necessary motivator in the prioritization, development, and adoption of cybersecurity initiatives across the small to medium-sized organization. In this post, our CEO explains why responsibility and accountability reside solely with the CEO when it comes to securing the SMB, and defends security as a pillar alongside performance and availability of technology in your infrastructure.

I read about breaches in the news so that I can understand why they happened. Part of this is morbid curiosity. Another part is my desire to continually improve my company’s Managed Detection and Response service – I ask, would we have caught this? If they had IntelliGO MDR, would they be in the news right now? I think about the decisions I make in my capacity as CEO, and the personal ownership I take for everything that happens in my company.

On the other hand, I remember a high-profile Canadian breach reported in the news some years ago, where the cause was identified as a known vulnerability that had not been patched. This company said that an unnamed individual was responsible for patching and had not acted in keeping with their policy. They also acknowledged that their technology had failed to detect that the patch had not happened. And while the story was deemed questionable by some, internally, management must have known that this person was a scapegoat. That the responsibility to know about a risk to a mission-critical asset, was management’s –the CEO’s specifically.

Today I will share with you why that responsibility belongs only to the CEO. There is more to the cause of a breach than “one patch” or “one person not issuing a patch.” The KPIs management reviews, the governance put in place, the lifecycle management of (Read more...)