Business cyber security: who’s in charge?

Next story

With big businesses being hacked more and more often, we look into who is accountable and what their job role entails in keeping important data safeguarded. Mark James, ESET IT Security Specialist, explains…


“One of the worst breaches of late was the VTech breach in November 2015, a catalogue of errors enabled an unauthorised user to access data on a server.

“It contains very sensitive information not just concerning adults but also very alarmingly children as well.

Data breaches happen all the time I hear you say, and you are right. Realistically it’s very hard to be 100% certain it’s not going to happen to you, that is of course if you take reasonable care to protect that sensitive data.

“If what we read is correct, they did not take the necessary care and passwords were insecurely stored along with key security questions and answers being stored in plain text.

“If you are going to store extremely sensitive data like this, then you need someone to have clear authority on what you should be doing to protect that data.

Someone has to be accountable, typically the CIO is that person, and he or she should be responsible for putting IT policies and practices into play, ensuring acceptable levels of training are provided.

“These trained persons should be aware of current attack vectors and be responsible for ensuring that, as a business in trust of someone else’s very private data, where possible you make the best efforts to keep it safe, which was clearly not the case here.

“The role of the CIO has evolved, and will continue to evolve, as far as the challenges posed to security posture by the emerging threat-scape are concerned.

“The only way to keep ahead is to have an understanding about how (cyber) criminals work along with the current trends in malware techniques, as well as what’s working and what’s not, and that’s not doable by a single person.

“It will take a good team of experts in their fields, along with continued testing and tweaking of policies and practices to ensure you are prepared for any activity that your soft or hardware measures do not detect.

Malware today can be very intelligent, when you pair that with a determined individual, either internal or external, you have a very formidable weapon to combat and one that all too often succeeds in acquiring its target.

“The role of the CIO is not an easy job; you are nearly always trying to second guess scenarios, fire fight or even assume what others, who are often very intelligent in their fields of expertise, are doing.

“It’s a job that, when it pays off, is rarely rewarded but when it goes wrong the whole world could know about it.”

How do you think the role of CIO is likely to change in the future? Let us know via Twitter @ESETUK

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.