As a business leader, you must abide by laws and regulations, contractual obligations and demonstrate due diligence when it comes to cybersecurity management.
Laws and regulations
Some of your accountability stems from laws and regulations, particularly around privacy, when you are processing electronic information. In Canada, at the federal level, we have the Personal Information and Electronic Documents Act. There are also provincial regulations as well. In British Columbia, we must abide by the Personal Information Protection Act. If you are collecting or processing data that belongs to an European Union (EU) citizen, than you must abide by the EU’s General Data Protection Regulation (GDPR).
Accountability may stem also from the contractual obligations that you have with your customers, third parties and business partners. You will have obligations to implement security measures, such as encryption, for example, to safeguard personal data. You may also most likely need to implement backup and recovery procedures to make sure that you can continue to serve your customers or business partners, even if something goes amiss.
Businesses must demonstrate that they are doing something to address these obligations, whether it’s a legal or a contractual obligation. You are accountable to safeguard data and to demonstrate due diligence. This can be done by implementing policies, procedures and IT in a secure manner. You may delegate that responsibility to various staff members or third party managed IT service providers but again, you must show due diligence. The weakest link when it comes to security within your organization is your end-users. It is your employees who are processing data on a daily basis and they also have a responsibility to follow security policies and procedures in their day-to-day interactions. Cybersecurity responsibility is spread across the entire organization.