buck-stops-here

Cybersecurity is front and center in the headlines once again. Recent congressional hearings on the largest cyberattack in U.S. history — a breach into the personal data of anywhere from 4.2 to upwards of 18 million Americans — failed to identify anyone willing to take responsibility, and further hearings just last week produced similar results.

Tony Scott, the U.S. Chief Information Officer, began his testimony by stating the problem: “Both state and non-state actors who are well financed, highly motivated, and persistent are attempting to breach both government and non-government systems every day, and these attempts are not going away… But that means we have to be as nimble, as aggressive, and as well resourced as those who are trying to break into our systems. Confronting cybersecurity risks on an continuous basis is our nation’s new reality.”

However, while congressional hearings are good at identifying problems, they seem incapable of identifying solutions, or even responsibility:

Nobody at OPM to blame for massive data breach, director says

WASHINGTON — The director of the Office of Personnel Management said Tuesday she doesn’t believe anyone at her agency is personally responsible for allowing the massive hack attack that has exposed the personal information of millions of federal employees.

“If there is anyone to blame, it is the perpetrators,” OPM Director Katherine Archuleta told members of a Senate panel at the first of four congressional hearings this week to examine the OPM cyber attack.

In corporate America, ownership for security sits at the top of the organization, at the CEO and CIO’s level. Ask the former CEO or CIO of Target who was to blame for the retail giant’s infamous security breaches.

Nobody with an IT background will deny that hackers are constantly trying to breach their servers and steal their data. At Online Tech’s data centers, we fend off thousands of attacks every day on data infrastructure for mid-market corporations. If these mid-size companies are targets for cyber criminals — and we have seen dozens of breaches at large enterprises, retailers, and insurance companies across the country — then the federal government’s largest database of personnel and security information should be protected with the cybersecurity equivalent of Fort Knox.

To deny responsibility for a cyberattack means that you don’t take cybersecurity seriously. CEOs are as responsible for the protection of their data as they are for the protection of their people, their physical assets, and their brand. CIOs and CISOs usually take point on this by ensuring that multiple lines of defense and active threat monitoring and management are deployed and that systems are continually updated to defend against the ever-escalating data security war.

Breaches can still occur because of human error, and new defenses will always need to be built. But when the leader of an organization that holds sensitive data denies responsibility, there’s a bigger problem at play. If no one owns data security and privacy, then your organization has no serious plan to defend and protect its greatest asset. Accountability starts at the top of any organization.

As Jennifer Granholm, former Attorney General and Governor of Michigan, once said: “We need, first of all, for there to be accountability, for there to be somebody who is responsible for enforcing standards and holding people’s feet to the fire.” At the moment, the only feet held to the fire are the millions of Americans whose personal information is now in the hands of criminals who could use it against them.

Scott concluded his testimony on cyberattacks by saying “it’s not going to go away, and we’re going to see more of it.” Along with those future attacks, let’s hope we see leaders willing to be held accountable the next time a data breach occurs, because the buck should stop at the top.