CIOs are best-placed to co-ordinate reactions to data breaches, according to an HP-sponsored study.
More than half of 495 senior executives surveyed told the tech giant the chief information officer has the most responsibility to lead their company’s response to a cyber attack, compared to just 27% who picked the CISO.
HP Enterprise Security Services told CBR this reflected the firm’s recommendation to adopt a business-wide attitude to security, and said the CIO has a wider range of responsibilities than the CISO.
Security strategy head Richard Archdeacon said: "I think that is because you can get the pan-organisational view from that role. The CIO can span all of IT rather than just the security aspect, they would be in a better position to pull the strands together."
HP’s study, carried out by the Ponemon Institute, found that 85% of firms included the legal department in their incident response strategies, followed by compliance and IT divisions at 70%, with HR and finance both involved by 55% of companies surveyed.
Archdeacon said: "It’s about making an end to end approach to security. You have a whole series of people involved in participating in incident response planning, it’s bringing together all of those different threads."
Another 79% of respondents said it was crucial senior executives were involved in planning a strategy, and HP recommended drilling staff to test how ready a firm was for a cyber attack.
However, while eBay is being served with a class action lawsuit after losing an alleged 145 million customer details following a hacker breach back in February, HP highlighted the insider threat as an overlooked business risk.
"It’s the person in a position of trust who accidentally creates a breach by sending the wrong information out or putting a spreadsheet out mistakenly," warned Archdeacon.
While the ‘new style of IT’, such as cloud computing and BYOD, have made this risk more prevalent, he added, firms must educate their staff to ensure they act responsibly to avoid accidental human error breaches.
"It’s not just looking at access and privileges but looking at how the data should be managed and issues like user awareness and user education," Archdeacon said.