Who 'owns' an investigation into a security breach
If it is not clear who is really in charge, or what responsibilities fall to what departments, that is adding trouble to trouble.
But that, according to the Security Executive Council (SEC), an Atlanta-based research and advisory firm, is too often the case.
In a recent paper titled, "Confusion about investigative program ownership/responsibility," the SEC said after working with "many organizations," the problems it has found with investigations include:
One example it provided of that confusion was an organizational chart that showed both the Privacy and IT departments taking the "lead" in investigations of multiple problems -- regulatory guideline violations, unauthorized use of proprietary information and company records.
The chart also showed both Operations Investigations and Human Resources (HR) taking the lead on benefits fraud, and both HR and Ethics taking the lead on conflict of interest.
The solution to that confusion, the SEC says, is a trademarked concept called Unified Risk Oversight (URO).
The general principle is what the name implies: An effective investigation cannot be fragmented. It has to be unified, with a clear leader, clear lines of responsibility and comprehensive lines of communication.
And the chances for fragmentation are high. The SEC found that organizations, "may be responsible for up to 67 different types of investigations and up to 13 different business functions could be engaged in these investigative activities."
Those business functions range from audit to business conduct and ethics, corporate security, compliance, crisis management, environmental health and safety, governance, government affairs, HR, information security, legal, privacy and risk management.
With that many possibilities, clearly a unified structure should be established before the need for an investigation arises.
And it should be just as clear that the structure is not a one-size-fits-all. The answer to who owns an investigation is: It depends on what is happening.
There is little debate among other incident response (IR) experts that fragmented investigations are not a good thing.
Sean Mason, vice president of Incident Response at Resolution1 Security, said the number of investigation types sounded about right to him, but that, "new types of investigations pop up daily and not all functions are needed to respond to each issue."
He said confusion over who is in charge, "tends to happen if there is a lack of corporate oversight, trust or understanding of the issue that needs to be dealt with. The most important consideration is to have an existing and agreed upon understanding of who is responsible for what, and how the issue will be both handled and communicated."
Kim Jones, senior vice president and CSO at Vantiv, said investigations typically fall to, "the CSO, CISO, audit, HR, legal, ethics, and finance."
But that, he said, still leaves plenty of opportunity for investigations to become fragmented, with negative consequences.
"It is not unusual for organizations to silo investigations within their bailiwick with minimal coordination," he said. "As organizations mature, this can lead to investigative activities stepping on one another, but more often it leads to investigative actions failing to occur."
So he agrees with the SEC that "pulling together" the departments that have an investigative role is a good thing, using what he called, "the RACI (responsible, accountable, consulted, informed) matrix for each function in each type of investigation. Figuring out who does what -- and when -- is essential to ensuring that things don't fall through the cracks," he said.
[ 5 steps to take when a data breach hits ]
The SEC said the CSO may not "own" all investigations, but that especially in situations where, "many functions claim responsibility for investigations, the role of the security executive can be to facilitate role definition, organizational responsibility, and priorities."
Jones agreed that the CSO/CISO, "in many cases can and should be the catalyst for these kinds of discussion. Often investigations require access to data that exists within the security tools or that only security personnel have access to."
He added that determining who owns the investigation just takes some logic. "If we defined the investigative types, and the RACI, we also define which organizations can call for an investigation and who owns the investigation," he said.
But he is emphatic that the CSO should not always oversee them. "There are things that for good order and good business, the CSO has no business knowing within the organization until a certain time," he said.
"Gathering the data from the network to make those determinations and potentially analyzing the data for appropriate indicators Yeah, that probably should be within my wheelhouse due to skills, tools etc.," he said. "But that is different from overseeing an investigative effort."
The SEC's Kathleen Kotwica said while it is important to define those who will lead and support an investigation, URO is not, "just about a 'team.' It's a process to effectively manage different risks across the enterprise and at the same time determine how to apply company resources so that the process is not prohibitively expensive."
The URO process, she said, is to make sure that all key stakeholders are involved, that their responsibilities are clearly defined and that somebody is in charge of overseeing their efforts.
Even if the right structure is in place, however, it takes planning and practice to get it right.
Regarding planning, Mason said no matter who is overseeing investigations and who the stakeholders are, "they should be meeting regularly -- one or two times a month -- to discuss issues and how things are being handled and who may need assistance. The dialogue is especially critical these days as threats continue to morph."
He added that every department in an organization, even if it is not directly involved in an investigation, should be, "immediately available to assist. And transparency -- as much as possible -- should be exercised in regards to communicating status to outside teams on the investigation."
And regarding practice, Carlo Guerriero, cybersecurity and privacy expert at PwC, said, "it is paramount that organizations continuously develop and test their incident response plans."