Tuesday, October 22, 2019

Responsibility And Accountability in Cyber Security

Every business process has a owner, whether the owner knows they own it or not.

There are critical business processes that cut across multiple disciplines. This complexity often makes ownership and roles unclear. Securing a business process means finding the person that can own decisions and keep the process on track and off the rocks.

A RACI-V (responsibility, accountability, coordination, informed, verifies) matrix can help clarify and decipher this ownership. This post will focus on the “R” and the “A” as it applies to business process ownership. We’ll discuss the advantages for more broad usage of these types of RACI-V matrices in future posts. 

What’s the difference between “responsible” and “accountable” in the context of a RACI-V?

Responsible: The responsible group or individual (“party”) is the prime mover for the business process and owns execution of the business process.

Accountable: The accountable party owns the definition of success and the business process outcome or results. The accountable party is always the business process owner. 

The most common errors related to “R” and “A” on RACI-Vs are the following:

More than One Responsible Party: Only one party can be responsible or accountable for anything.

Multiple owners is a good indicator that the business process is not defined in a granular enough way.

Cutting/Pasting: There seems to be a common assumption that the responsible party and accountable party are the same.  They are not always the same. 

The employee on-boarding process is a good demonstrative example of the difference between a responsible party and the accountable owner. In a typical organization, the responsibility for employee on-boarding lies with the IAM team. They own the tools as well as serve as the prime mover for on-boarding processes. That said, the accountable party or the business process owner would be Human Resources. HR would own the definitions, metrics, and outcomes for employee on-boarding.

Key rule of thumb: Responsibility can be delegated but accountability cannot be delegated. 

As a cyber professional trying to secure business processes, you’ll need to identify and work with the business process owners as well as unravel and work with any of their delegates. Perhaps business analysts have already completed this work for you, perhaps not. 

The business process owners are the linchpins of true enterprise cyber security.

A RACI-V can help unravel, decipher, and formalize ownership and accountability. 

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


No comments:

Post a Comment