Kim Jones, senior vice president and CSO at Vantiv, said investigations typically fall to, “the CSO, CISO, audit, HR, legal, ethics, and finance.”
But that, he said, still leaves plenty of opportunity for investigations to become fragmented, with negative consequences.
“It is not unusual for organizations to silo investigations within their bailiwick with minimal coordination,” he said. “As organizations mature, this can lead to investigative activities stepping on one another, but more often it leads to investigative actions failing to occur.”
So he agrees with the SEC that “pulling together” the departments that have an investigative role is a good thing, using what he called, “the RACI (responsible, accountable, consulted, informed) matrix for each function in each type of investigation. Figuring out who does what – and when – is essential to ensuring that things don't fall through the cracks,” he said.
[ 5 steps to take when a data breach hits ]
The SEC said the CSO may not “own” all investigations, but that especially in situations where, “many functions claim responsibility for investigations, the role of the security executive can be to facilitate role definition, organizational responsibility, and priorities.”
Jones agreed that the CSO/CISO, “in many cases can and should be the catalyst for these kinds of discussion. Often investigations require access to data that exists within the security tools or that only security personnel have access to.”
Kim Jones, senior vice president and CSO, Vantiv
He added that determining who owns the investigation just takes some logic. “If we defined the investigative types, and the RACI, we also define which organizations can call for an investigation and who owns the investigation,” he said.
But he is emphatic that the CSO should not always oversee them. “There are things that for good order and good business, the CSO has no business knowing within the organization until a certain time,” he said.
“Gathering the data from the network to make those determinations and potentially analyzing the data for appropriate indicators? Yeah, that probably should be within my wheelhouse due to skills, tools etc.,” he said. “But that is different from overseeing an investigative effort.”
The SEC’s Kathleen Kotwica said while it is important to define those who will lead and support an investigation, URO is not, “just about a ‘team.’ It's a process to effectively manage different risks across the enterprise and at the same time determine how to apply company resources so that the process is not prohibitively expensive.”
The URO process, she said, is to make sure that all key stakeholders are involved, that their responsibilities are clearly defined and that somebody is in charge of overseeing their efforts.
Even if the right structure is in place, however, it takes planning and practice to get it right.
Regarding planning, Mason said no matter who is overseeing investigations and who the stakeholders are, “they should be meeting regularly – one or two times a month – to discuss issues and how things are being handled and who may need assistance. The dialogue is especially critical these days as threats continue to morph.”
He added that every department in an organization, even if it is not directly involved in an investigation, should be, “immediately available to assist. And transparency – as much as possible – should be exercised in regards to communicating status to outside teams on the investigation.”
And regarding practice, Carlo Guerriero, cybersecurity and privacy expert at PwC, said, “it is paramount that organizations continuously develop and test their incident response plans.”
This story, "Who ‘owns’ an investigation into a security breach?" was originally published by CSO.