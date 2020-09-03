It has been reported that corporate CEOs could soon be personally liable if they fail to adequately secure IT systems connected to the physical world, Gartner has warned. The analyst firm predicted that as many as 75% of business leaders could be held liable by 2024 due to increased regulations around so-called “cyber-physical systems” (CPSs) such as IoT and operational technology (OT).
Chris Clark, Automotive Security Software Platform Architect , Synopsys
September 03, 2020
Key standards such as ISA-62443-1-1-2007 Security for Industrial Automation and Control Systems.
The challenge in holding an individual responsible for adequately securing IT systems is that there is a lack of industry standards to be measured against. While some cybersecurity standards for verticals and practices within business processes do exist, it can certainly be argued that they are not detailed enough. Key standards such as ISA-62443-1-1-2007 Security for Industrial Automation and C ....The challenge in holding an individual responsible for adequately securing IT systems is that there is a lack of industry standards to be measured against. While some cybersecurity standards for verticals and practices within business processes do exist, it can certainly be argued that they are not detailed enough. Key standards such as ISA-62443-1-1-2007 Security for Industrial Automation and Control Systems, ISO/SAE DIS 21434 Road Vehicles — Cybersecurity Engineering, and Payment Card Industry (PCI) outline comprehensive processes and requirements but do not call for detailed testing of the components used to develop solutions. Nor do these standards define consistent and measurable security testing and maintenance organisations must carry out. Another challenge involves the expertise of the staff implementing security solutions. Certifications ensure those individuals performing an action are indeed qualified and are to be held responsible for their actions but not at the same level as a licensed healthcare provide or other stringently managed profession. Until there is legislation that addresses these ambiguities, holding a CEO accountable for others' actions will be difficult and error-prone at best. In cases of clear violation of the law, cover-ups, or outright negligence, CEOs should be held responsible, but laws already exist for such transgressions.
