Why We Need Accountability in Cybersecurity

The complex evolution of technology, and by extension the cybersecurity landscape is two-fold. This drives the development of innovative technologies, while escalating the sophistication of cybersecurity threats.

Accountability needs to start from the top, with the leaders establishing the direction and culture for others in the organisation to follow. When leaders hold themselves responsible, this has a flow-on effect to those in the organisation; however, when answerability is absent, “organizations tend to suffer from misalignment, lack of ownership, and a failure to execute strategic initiatives”.

Three Key Principles

This gives rise to the concept of accountability in cybersecurity which is focused on three key principles of prevention, mitigation, and communication. The core responsibility of an organisation rests in the mitigation of cybersecurity incidents through the implementation of all reasonable measures. While these may seem simple in its concept, implementation is hierarchical and difficult.

Decrease in Risk

IT systems comprise of both the technological and social aspects, which includes human decisions, where both work holistically to design and implement security controls and measures to protect an organisation’s infrastructure and information.

When a culture of accountability is fostered, the reduction in risk becomes evident; with a study undertaken by Blackberry and Corvis Insurance showcased that 34% of respondents were denied cyber insurance coverage due to the absence of fundamental security technologies, such as endpoint detection and response (EDR) capabilities.

To be able to obtain cyber insurance, which we recommend, many businesses held themselves accountable and implemented EDR to qualify for coverage through the reduction in its risk profile and shifting exposure from the organisation to the insurer. In so doing, this allows through accountability, the reduction in risk to the organisation.

Furthermore, compelling evidence indicates that a substantial percentage of security breaches stem from within the organisation, frequently attributable to employees—whether through deliberate actions or inadvertent lapses—resulting from non-adherence to established cybersecurity protocols. Therefore, a framework of accountability is key to the reduction of security breaches.

When there is a framework of accountability, there are several benefits:

1. Increased Compliance
   1. When there is accountability and the presence of oversight, employees are significantly more predisposed to align their actions with established cybersecurity protocols.
   1. This also leads to a reduction in human error, as cybersecurity best practices are followed.
2. Established protocols
   1. Cybersecurity protocols are proven to safeguard critical assets and improve resilience against the relentless evolution of cyber threats.
   1. Experts have identified and provided a standardised methodology that are proactive against future and present threats.
3. Organisational Learning
   1. All activities are logged.
   1. After an incident, employees can look back at the resolution and actions undertaken.
   1. This allows the organisation to identify any vulnerabilities, human error or efficiency loss.

Therefore, accountability has been proven to provide value-added benefits but only if a framework of accountability is present. With a top-down approach being necessary to ensure that the direction and culture is in compliance with cybersecurity best practices. This approach comprehensively ensures that businesses are provided with robust data protection measures that safeguards confidentiality, and wide-ranging security controls and measures that protects the organisation’s IT infrastructure.