Who 'owns' an investigation into a security breach?

The last things an organization needs when launching an investigation into any kind of security breach are confusion and disorganization.

If it is not clear who is really in charge, or what responsibilities fall to what departments, that is adding trouble to trouble.

But that, according to the Security Executive Council (SEC), an Atlanta-based research and advisory firm, is too often the case.

In a recent paper titled, "Confusion about investigative program ownership/responsibility," the SEC said after working with "many organizations," the problems it has found with investigations include:

  • Untrained people conducting them
  • Multiple reporting systems
  • Confusion over who's in charge
  • No corporate oversight

One example it provided of that confusion was an organizational chart that showed both the Privacy and IT departments taking the "lead" in investigations of multiple problems -- regulatory guideline violations, unauthorized use of proprietary information and company records.

The chart also showed both Operations Investigations and Human Resources (HR) taking the lead on benefits fraud, and both HR and Ethics taking the lead on conflict of interest.

The solution to that confusion, the SEC says, is a trademarked concept called Unified Risk Oversight (URO).

The general principle is what the name implies: An effective investigation cannot be fragmented. It has to be unified, with a clear leader, clear lines of responsibility and comprehensive lines of communication.

And the chances for fragmentation are high. The SEC found that organizations, "may be responsible for up to 67 different types of investigations and up to 13 different business functions could be engaged in these investigative activities."

Those business functions range from audit to business conduct and ethics, corporate security, compliance, crisis management, environmental health and safety, governance, government affairs, HR, information security, legal, privacy and risk management.

With that many possibilities, clearly a unified structure should be established before the need for an investigation arises.

And it should be just as clear that the structure is not a one-size-fits-all. The answer to who owns an investigation is: It depends on what is happening.

There is little debate among other incident response (IR) experts that fragmented investigations are not a good thing.

Sean Mason, vice president of Incident Response at Resolution1 Security, said the number of investigation types sounded about right to him, but that, "new types of investigations pop up daily and not all functions are needed to respond to each issue."

He said confusion over who is in charge, "tends to happen if there is a lack of corporate oversight, trust or understanding of the issue that needs to be dealt with. The most important consideration is to have an existing and agreed upon understanding of who is responsible for what, and how the issue will be both handled and communicated."

Kim Jones, senior vice president and CSO at Vantiv, said investigations typically fall to, "the CSO, CISO, audit, HR, legal, ethics, and finance."

But that, he said, still leaves plenty of opportunity for investigations to become fragmented, with negative consequences.

"It is not unusual for organizations to silo investigations within their bailiwick with minimal coordination," he said. "As organizations mature, this can lead to investigative activities stepping on one another, but more often it leads to investigative actions failing to occur."

So he agrees with the SEC that "pulling together" the departments that have an investigative role is a good thing, using what he called, "the RACI (responsible, accountable, consulted, informed) matrix for each function in each type of investigation. Figuring out who does what -- and when -- is essential to ensuring that things don't fall through the cracks," he said.

[ 5 steps to take when a data breach hits ]

The SEC said the CSO may not "own" all investigations, but that especially in situations where, "many functions claim responsibility for investigations, the role of the security executive can be to facilitate role definition, organizational responsibility, and priorities."

Jones agreed that the CSO/CISO, "in many cases can and should be the catalyst for these kinds of discussion. Often investigations require access to data that exists within the security tools or that only security personnel have access to."

He added that determining who owns the investigation just takes some logic. "If we defined the investigative types, and the RACI, we also define which organizations can call for an investigation and who owns the investigation," he said.

But he is emphatic that the CSO should not always oversee them. "There are things that for good order and good business, the CSO has no business knowing within the organization until a certain time," he said.

"Gathering the data from the network to make those determinations and potentially analyzing the data for appropriate indicators? Yeah, that probably should be within my wheelhouse due to skills, tools etc.," he said. "But that is different from overseeing an investigative effort."

The SEC's Kathleen Kotwica said while it is important to define those who will lead and support an investigation, URO is not, "just about a 'team.' It's a process to effectively manage different risks across the enterprise and at the same time determine how to apply company resources so that the process is not prohibitively expensive."

The URO process, she said, is to make sure that all key stakeholders are involved, that their responsibilities are clearly defined and that somebody is in charge of overseeing their efforts.

Even if the right structure is in place, however, it takes planning and practice to get it right.

Regarding planning, Mason said no matter who is overseeing investigations and who the stakeholders are, "they should be meeting regularly -- one or two times a month -- to discuss issues and how things are being handled and who may need assistance. The dialogue is especially critical these days as threats continue to morph."

He added that every department in an organization, even if it is not directly involved in an investigation, should be, "immediately available to assist. And transparency -- as much as possible -- should be exercised in regards to communicating status to outside teams on the investigation."

And regarding practice, Carlo Guerriero, cybersecurity and privacy expert at PwC, said, "it is paramount that organizations continuously develop and test their incident response plans."

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachSecurity Executive Council

More about CSOSEC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts