1. IT practitioners are not confident about their organization's ability to detect the loss or theft of sensitive or confidential information (10% were very confident, 34% were not confident and 18% were unsure).
2. IT practitioners are not very confident of their ability to learn all of the facts about a data breach.
3. Many organizations have not clearly defined who is responsible for data breach management. Over 43% of the IT practitioners reported that no one in their organization is responsible for data breach management. Another 23% were unsure who was responsible.
In order to effectively mitigate the risk of a security breach, the first crucial step is to define who in the organization is responsible for developing a security incident response plan. Not only should someone be given primary responsibility for this issue, but there should be an incident response planning team that includes relevant departments of the organization, which may include HR, public relations, legal, compliance, IT and (for public companies) investor relations. A major security breach can have an enormous and far-reaching impact on an organization, so it is imperative to have clear assignment of authority and an incident response team that is capable of quickly mobilizing appropriate resources throughout the organization. As the survey results suggest, if an organization has not clearly allocated responsibility for security breach response, then it may also experience difficulties in detecting and investigating breach incidents. For more information on the Compuware/Ponemon study, see the June 9 issue of BNA's Privacy & Security Law Report or contact The Ponemon Institute at [email protected].
There's an old poker saying that if you can't spot the mark at the table, then it's probably you. For IT and security professionals, the same may be true for security breach response. If you don't know who in your organization is responsible for managing security breach response, then it just might be you ....