Who is viewed as formal owner of your cybersecurity risks?
A poll for anyone in any organisation. This isn’t asking who should be risk owner, it’s asking who the majority of staff think owns these risks.
You can chose one answer, or specify your own. If you believe there are multiple risk owners, choose the role holder most people in your organisation see as ultimately accountable for impact resulting from poor security.
- If a project has unresolved security vulnerabilities, and needs to go live, who is asked to sign that risk off?
- If a team is working fast to deliver a digital solution, and argues they have to use production data to test it, who is asked to formally approve that?
- Who do you go to for final sign off, if the business wants to sign a vendor contract before security due diligence is complete?
- When there are insecure websites/user access processes/data transfers, and the business argues there is no time or budget to fix them, who has the final say on whether or not that’s acceptable?
Obviously this is a rough and ready poll, without the benefit of information about respondents, but that will be respected in the way results are shared.
Comments are also very welcome. Perhaps you think risks are owned by the wrong people, perhaps you want to share a justification for your answer, or perhaps you have a link to great guidance on the subject.
Thanks again for taking the time to click and participate.