Compliance Officers Not Involved in Cyber Security?

Brian Wood Blog

One danger of specialization is silo-ization and gaps.

“Sorry, that’s not my area of responsibility; I do X. Hopefully Bob in IT has it covered.”

Yeah, let’s hope.

Or better yet, let’s have a single-subject meeting with all the relevant players to outline explicitly who is responsible for what.

Article posted on Help Net Security.

Emphasis in red added by me

Brian Wood, VP Marketing

——–

Most compliance officers play little role in cyber security

Seventy-five percent of compliance officers are not involved in managing cyber security risk according to a report from Kroll and Compliance Week.

In a survey of senior-level compliance professionals, nearly 44 percent of respondents also said the chief compliance officer (CCO) is only responsible for privacy compliance and breach disclosure after an incident, but has no role in addressing cyber security risks before one.

These statistics draw attention to a gap in responsibilities as cyber security lapses can often involve hefty penalties or sanctions, civil litigation and compliance issues. As the CCO role evolves, the need for influence in managing cyber security risk will increase.

Alan Brill, senior managing director for Kroll, says compliance officers should have a strong enough grasp of cyber security to know when they should be involved in a problem—and, he stresses, other parts of the corporate enterprise need to recognize that compliance has a role to play from the beginning.

“Every compliance officer needs to decide whether it’s time for them to be Captain Kirk and boldly go into cyber,” says Brill, “and to do it by forging a partnership with the IT director, with the general counsel, with the internal auditor—so that the cyber elements of compliance are just the everyday part of your work.”

More findings:

  • More than 50 percent of compliance professionals anticipate the bribery and corruption risks to their company will increase this year
  • 58 percent never train third parties
  • Only 43 percent monitor compliance after a third-party relationship begins
  • Only 48 percent automate their anti-corruption program in some way.

http://www.net-security.org/secworld.php?id=16892