Holding people and business units accountable is at the heart of an information security career. The information security group is responsible for ensuring the confidentiality of a company’s data but rarely has authority to directly take action against business units or individuals that fail to follow policy. This is typically the responsibility of the employee’s manager or for a business unit it is the vice president’s or general manager’s job.
As an example, the information security team is often tasked with performing vulnerability scans of the organization’s IT assets. From these scans, vulnerabilities in applications and operating systems are identified ranging from low to critical severity. The security team reviews the vulnerabilities and prioritizes them based on the importance of the asset impacted and the threats to the organization. The most impactful vulnerabilities are then delivered to IT for patching. In small organizations this may be one group but in large organizations patching is done by business unit IT departments. Whether your organization is hacked or not is often dependent on how quickly and thoroughly IT can patch systems with critical vulnerabilities.
So, how do you hold people and business units accountable? You use a carrot or a stick or both.
One method for driving accountability is to reward proper behavior, the carrot approach. For example, employees are provided a $10 American Express gift card if they identify and properly report a phishing email that would have resulted in a successful attack. Security teams can also work with an organization’s leadership and build security into employees’ performance plans. In our previous example, a system administrator’s performance plan would include a metric for timely and thorough patching. In general, the carrot approach is much more tolerable to organizations and employees.
Now for the stick. With this philosophy, employees and business units are punished for policy non-adherence. For example, employees not completing security awareness training will have their network access disabled. Another common approach used by CIOs and CISOs is the “shaming report.” This is basically when security produces a recurring dashboard showing how the organization is doing by business unit for certain security tasks. The shaming report shows the top and worse performers side by side and is typically provided to executive management. The idea is that the report will shame poor performing business units into compliance.
In most cases, security teams use a combination of tactics to hold individuals and business units accountable. It is extremely important that the security teams understand the culture of the organization and select the methods that are in alignment with the company’s overall philosophy around accountabilities.
Accountability is becoming serious business. As an example, the CEO of FACC, an Austrian aircraft parts manufacturer, was recently fired when he fell for an email scam that resulted in the loss of $56 million. The stick approach was obviously used in this case, and I believe it also sets a new precedent in holding employees directly accountable for their actions, even if they were tricked or scammed. Did the CEO knowingly transfer the money? No, he was tricked. Should he have known better? I believe that is arguable, maybe. Should other compensating controls have been in place to check that the wire was legitimate? Yes.