The last things an organization needs when launching an investigation into any kind of security breach are confusion and disorganization.
If it is not clear who is really in charge, or what responsibilities fall to what departments, that is adding trouble to trouble.
But that, according to the Security Executive Council (SEC), an Atlanta-based research and advisory firm, is too often the case.
In a recent paper titled, “Confusion about investigative program ownership/responsibility,” the SEC said after working with “many organizations,” the problems it has found with investigations include:
- Untrained people conducting them
- Multiple reporting systems
- Confusion over who’s in charge
- No corporate oversight
One example it provided of that confusion was an organizational chart that showed both the Privacy and IT departments taking the “lead” in investigations of multiple problems – regulatory guideline violations, unauthorized use of proprietary information and company records.
The chart also showed both Operations Investigations and Human Resources (HR) taking the lead on benefits fraud, and both HR and Ethics taking the lead on conflict of interest.
The solution to that confusion, the SEC says, is a trademarked concept called Unified Risk Oversight (URO).
The general principle is what the name implies: An effective investigation cannot be fragmented. It has to be unified, with a clear leader, clear lines of responsibility and comprehensive lines of communication.
And the chances for fragmentation are high. The SEC found that organizations, “may be responsible for up to 67 different types of investigations and up to 13 different business functions could be engaged in these investigative activities.”
Those business functions range from audit to business conduct and ethics, corporate security, compliance, crisis management, environmental health and safety, governance, government affairs, HR, information security, legal, privacy and risk management.
With that many possibilities, clearly a unified structure should be established before the need for an investigation arises.
And it should be just as clear that the structure is not a one-size-fits-all. The answer to who owns an investigation is: It depends on what is happening.
There is little debate among other incident response (IR) experts that fragmented investigations are not a good thing.
Sean Mason, vice president of Incident Response at Resolution1 Security, said the number of investigation types sounded about right to him, but that, “new types of investigations pop up daily and not all functions are needed to respond to each issue.”
He said confusion over who is in charge, “tends to happen if there is a lack of corporate oversight, trust or understanding of the issue that needs to be dealt with. The most important consideration is to have an existing and agreed upon understanding of who is responsible for what, and how the issue will be both handled and communicated.”