Who is on the line for cybersecurity? 

The Board? The CEO? The CFO? The CIO? The CISO? Someone else?

The short answer is yes. 

All of us to a greater or lesser extent are responsible for the cyber health and safety of the organizations we belong to. But when we look at the day-to-day operation and management of a given security environment, responsibility gets complicated.

According to a recent survey by HelpNet Security, 77% of the Fortune 500 do not show publicly the person responsible for their security strategy, and a full 52% do not have any language on their site about how they protect customer data beyond a legally required privacy notice. 

And there’s more:

• 190 companies–almost 40%–in the Fortune 500 do NOT have a chief information security officer (CISO) on staff; only 30 of those organizations name another executive responsible for cybersecurity strategy 

• Of the 62% that do have a CISO on staff, only 4% list that person as part of the company’s leadership team

Well, sh*t. That means most companies don’t have CISOs and the ones that do have almost NO influence.

And keep in mind–we’re still just talking about just the Fortune 500! For the countless other companies out there not large enough to make this elite group, the odds of cybersecurity responsibility falling to someone who is not a security practitioner grow. And grow. Privacy and security regulations like GDPR and NIST further complicate matters for non-security professionals also tasked with maintaining compliance. 

So Who Owns Cybersecurity Everyplace Else?

Or let’s put it this way: Who gets fired when the sh*t hits the fan? Is it YOU? 

Everyone likes transparency. We like to know who’s in charge. We definitely like to know who’s to blame when something goes awry. 

But wait a minute. Aren’t we all to blame if there’s a cybersecurity failure?

Are we really just pointing at the one cybersecurity person we can find (if we can find one) and saying, “it’s all your fault?” Let’s be honest with ourselves: Everyone wants an organization that’s all in when it comes to cybersecurity.  

When organizations fail to state clearly who’s responsible for security, they do themselves as well as their customers a disservice.  Whether we’re talking about a person or a team, we want to know clearly, transparently, where the buck stops. Where we can go to ensure the cyber strategy is on track and to whom we can turn for help if it goes off the rails. If those peeps aren’t cyber experts, how does that affect us?

In the first place, someone without the resources or expertise to evaluate the efficacy of cyber solutions is forced to muck their way through thousands upon thousands of tools in the market, relying on partners, analysts, reviewers, or other third parties to help them sift through the noise and make purchase decisions--decisions that are rarely tied to the company strategy or business outcomes.

In the second place, once purchases have been made, the executive tasked with the job must find a way to implement them, connect them, test them, and maintain them. These tasks are difficult even for experienced CISOs; how can the (nearly) 40% of Fortune 500 companies and hundreds of thousands of smaller organizations without a CISO or named security expert hope to succeed?

By treating security the same way Netflix, Spotify, and Apple treat content delivery–using a multi-tier subscription-based model to deliver better, faster value to their customers.

Cybersecurity-as-a-service (CSaaS) is the new way to achieve successful cybersecurity outcomes. The CSaaS model takes the worry and guesswork out of security purchases by providing customers expert practitioners, proven technologies, and a strategic long-term roadmap at a fixed monthly price. This type of subscription service also enables those executives responsible for trying to maintain standards including SOC 2, CMMC, NIST, ISO, HIPAA, and PCI the ability to achieve complete and continuous compliance even as regulations change. 

Cybersecurity-as-a-service makes it easy for the people responsible for keeping sensitive customer data and other confidential information safe to feel confident in their security posture and their compliance adherence regardless of whether they are a security practitioner or not. If you are that person, we give you the confidence to say, “The buck stops with me.” 

Let us show you how! Learn more about our CSaaS solutions now.