Data breaches have progressed from low probability, high consequence events to high probability, high consequence events. This shift requires that senior executives become more involved to help reduce financial impact and protect their companies’ reputation and brand. Cybersecurity frameworks like NIST, HITRUST, PCI DSS, COBIT, and OSI provide the structure to facilitate senior executive participation. The technical perspective, sophistication, and complexity of frameworks can lead to silos of cybersecurity management. Cross-functional accountability for effective corporate cybersecurity management is required. A Responsibility Assignment Matrix within a cybersecurity framework can visually and effectively illustrate cross-functional ownership of the corporate cybersecurity plan. Ownership of the creation and maintenance of the corporate security plan should remain with either the security or IT department. Many aspects of cybersecurity accountability naturally reside outside of the security and IT departments. Please visit this site and explore how corporate accountability can be incorporated with cybersecurity planning. http://processdeliverysystems.com/v2pds_nist/index.htm Click here to download the presentation Accountability for Corporate Cybersecurity, Who Owns What? http://processdeliverysystems.com/v2pds_nist/documents/PDS_Accountabiliy_NIST_Cybersecurity_Framework.pdf Click here to download the Responsibility Assignment Matrix for the NIST Cybersecurity Framework. http://processdeliverysystems.com/v2pds_nist/documents/PDS_NIST_Cybersecurity_Framework_RACI.pdf We welcome your questions, insights, and comments.

1. Accountability for
Corporate Cybersecurity
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Who Owns What?
‐‐‐‐‐‐‐‐‐‐‐
l ll f d d b lClear, Visually Defined Corporate‐Wide Accountability
Within the NIST Cybersecurity Framework
Bridging the gap between operations and strategy

2. Cybersecurity is a Corporate Responsibilityy y p p y
“Boards that choose to ignore, or minimize, the importance of
b i d h i il ” L i A A il C i i
b h h d f l b b l h h
cybersecurity, do so at their own peril,” Luis A. Aguilar, Commissioner,
New York Stock Exchange1
 Data security breaches have progressed from low probability, high
consequence to high probability, high consequence
 Cyber attacks are creating more concern about potential damage to
2corporate reputation, class action lawsuits, and costly downtime2
 Senior executives are motivated to become involved in data breach
response:
 Help reduce financial impact2
 Protect their companies’ reputation and brand2
© 2015 Process Delivery Systems
1June 10, 2014 Speech ‐ Boards of Directors, Corporate Governance and Cyber‐Risks: Sharpening the Focus
2Ponemon Institute – The Importance of Senior Executive Involvement in Breach Response, October 2014

3. Cross‐Functional Accountability for Effective
Corporate C bersec rit Management is Req iredCorporate Cybersecurity Management is Required
 The NIST Cybersecurity Framework is Comprehensive, Well‐
Vetted, and Widely Adopted
 The Framework’s Technical Aspects, Sophistication, and
Complexity can Lead to Silos of Cybersecurity Management andComplexity can Lead to Silos of Cybersecurity Management and
Response Within the Organization
 Ownership of the Creation and Maintenance of the Corporate
Security Plan Should Remain with Either the Security or IT
Department
 Many Aspects of Cybersecurity Accountability Naturally Reside
Outside of the Security and IT Departments
© 2015 Process Delivery Systems

4. Assignment of Corporate
C bersec rit Acco ntabilitCybersecurity Accountability
Responsibility Assignment Matrix (RACI Matrix) Used to Assign
Responsible (The Doers) ‐ Those who do the work to achieve the
Accountability Across the Organization
Responsible (The Doers) ‐ Those who do the work to achieve the
task. There is at least one role with a participation
type of Responsible.
Accountable (The Buck Stops Here) The one ultimatelyAccountable (The Buck Stops Here) ‐ The one ultimately
answerable for correctness and thoroughness of the
completed task.
C lt Th h i i ht t i ll bj tConsult Those whose opinions are sought, typically subject
matter experts. Two‐way communication.
Inform Those kept up to date on progress with whom there
© 2015 Process Delivery Systems
is one‐way communication.

5. NIST Cybersecurity Framework
Within PDFrame orkWithin PDFramework
PDFramework – A Web Framework Designed to Deliver
P d l C d R l f A bili i hProcedural Content and Roles of Accountability with
Unprecedented Visual Clarity
© 2015 Process Delivery Systems

6. Within the Identify Category – Understand
and Prioriti e the B siness En ironmentand Prioritize the Business Environment
© 2015 Process Delivery Systems

7. Understanding and Prioritizing the Business
Factors Better Suited to CFO or Strategic CommitteeFactors Better Suited to CFO or Strategic Committee
© 2015 Process Delivery Systems

8. Awareness and Training Within the
Protect CategorProtect Category
© 2015 Process Delivery Systems

9. Awareness and Training Accountability
Belongs to the Director of Security, Various
bl fDepartments are Responsible for Execution
© 2015 Process Delivery Systems

10. Data Breach Response Coordination Must Be
Caref ll Designed and Effecti el E ec tedCarefully Designed and Effectively Executed
© 2015 Process Delivery Systems

11. Design and Execution of Public Facing
Response Efforts Better Suited for the
l dLegal and Communications Team
© 2015 Process Delivery Systems

12. Questions, Insights, and
C t R t dComments Requested
Please visit the PDFramework version of the NIST Cybersecurity Framework at:
h
• http://processdeliverysystems.com/v2pds_nist/index.htm
Henry Draughon
Office: (972) 980‐9041
Cell: (214) 707‐4450
hdraughon@processdeliverysystems comhdraughon@processdeliverysystems.com
www.processdeliverysystems.com
© 2015 Process Delivery Systems