Most organizations define specific security roles and responsibilities based on job descriptions. Each role outlines the part an individual plays in supporting the organization’s overall security efforts. This could be a Security Officer, a Security Auditor, or a Senior Manager, to name a few. While there are many possible roles, this chapter will focus on senior level positions such as Chief Information Security Officer (CISO), Head of Security, or Regional Security Manager. We will explore Due Diligence and Due Care from the perspective of someone who is ultimately accountable for the security of the organization, a department, or a defined scope. This person is responsible for reviewing and approving all security policies, plans, and strategies. For simplicity, we’ll refer to them as the Security Leader of the organization.
The role of a Security Leader is broad and strategic. Security evaluation and improvement efforts must be aligned with the organization’s business goals and objectives. Typically, the Security Leader is responsible for leading the development of security plans that define the organization’s short-term, mid-term, and long-term security objectives. This planning process is often supported by the use of security control frameworks, which help structure efforts around risk management, compliance, and continuous improvement.
There is also a day-to-day aspect of security governance that shapes and influences organizational processes. This includes areas like risk management during mergers and acquisitions, internal and external security audits, change management, incident response process, and data classification. At its core, security governance is the framework that ensures security efforts are aligned with the organization’s business goals, legal obligations, and risk tolerance. It defines the responsibilities of stakeholders, the policies that guide actions, and the decision-making processes that enforce them. Good security governance provides direction, oversight, and accountability.
Finally, being a security leader comes with the responsibility for decisions that protect the organization legally, ethically, and operationally. At some point, the company — through its Security Leader — may need to justify those decisions, especially when they affect external parties such as end users like you and me. In many cases, this transparency isn’t optional; it’s required by legal and regulatory obligations.
Let’s take the example of a CISO at a company that collects personal information from users. At some point, a group of hackers exploits weaknesses in the company’s information systems and steals sensitive user data. Because their role demands more than just effort — it requires accountability — Security Leaders like CISOs must be able to demonstrate that they performed their duties responsibly and took reasonable and timely actions to prevent such incidents. Otherwise, they will be held responsible of negligence and the company will face serious business and legal consequences, including financial penalties, lost of trust and criminal liability.
1. Due diligence
Due Diligence represents the actions and activities that the security leader will take to make informed decisions. This is about anticipating and doing homework : establishing plans, policies, procedures, security policies, standards, guidelines, risks assessment, compliance requirements reviews, training and awareness, internal audits, third party audit, penetration tests, risk analysis, threat modeling, vulnerabilities identification, evaluating vendors and partners, knowing latests standards and best practices, etc.
Due Diligence is about gathering relevant information, knowing the options, developing a proper strategy in order to understand what should be done to met security objectives, handle threats, and then develop a framework to make that happen in the organization.
Due Diligence is knowing what need to be done.
Real world scenario with Due Diligence properly applied
SecByStep Inc. has mandated the firm Security4All to conduct a security audit of its IT landscape, recognizing that security is a continuous effort. One key finding from the audit is the need for an anti-spam security solution because it is a main vector in most of the credential breached. Before selecting a product, the CISO instructs the team to initiate a Request for Proposal (RFP). During this selection process, the team evaluates each products and vendor’s ability to meet the identified needs, including their security certifications (such as ISO 27001 or SOC 2), data handling policies, breach history, and operating models. The CISO also requires that proper processes, documentation, and staff training be developed to support the solution, and that all activities be regularly audited to ensure they remain effective and aligned with the organization’s risk tolerance and current threat landscape.
This is Due Diligence in action: gathering the right information and assessing options thoroughly before making a security decision.
2. Due CARE
Due Care is about continuously taking the appropriate actions after you’re informed — once Due Diligence has been performed. Now that security leader has the proper information about what needs to be done to ensure the desired level of security, it’s time to act on it. Execution of the identified actions must follow. For example, this means:
- Applying software patches.
- Enforcing strong password policies.
- Backing up data regularly.
- Training staff on phishing awareness.
- Monitoring systems based on identified risks.
In short, Due Care means doing what the Security Manager knows — after due diligence — must be done. A key aspect of Due Care is not only what you do, but when you do it. The timing and reasonableness of your actions are essential.
Due Care means doing the right thing at the right time.
Real world scenario with Due Care properly applied
We continue with SecByStep Inc. which mandated the firm Security4All to conduct a security audit assessment of its IT landscape. We stick with the key finding around anti-spam solution. The RFP output was a selection of a products that meet the expected security requirements. The teams also worked on process to configure the solution, handle exception and responding to spams. Now that contracts are signed, the team must effectively deploy and configure the solution, respond to incidents, apply patch to the solution, train the users, audit the efficiency of the solution with respect to the identified plan crafted beforehand. The timing is important because if the security leader decide do delay the deployment of the solution while they know the involved risks, it is a form of negligence that may imply culpability and liability when a loss occur. A CISO should never accept to be in that position.
3. Final Thoughts
Although they are connected, Due Diligence and Due Care focus on different phases of responsibility:
Due Diligence core ideas
- Preparation and awareness.
- Thinking and planning.
- Think before you act.
Due Care core ideas
- Doing what a reasonable person would do to protect against the risks.
- Doing and enforcing.
- Act responsibly after thinking.
For a security leader, understanding this is core in demonstrating a mature, thoughtful, and responsible approach to protecting the organization and its customers. These principles are also frequently tested in legal contexts — during data breaches, regulatory investigations, or lawsuits. Proving that you followed both concepts can protect the organization and the security leaders as a professional.
What’s Next?
Now you know the difference between Due Diligence and Due Care, you should be able to avoid any confusion that certs such as CISSP can bring to you.
In this post, we talked about knowing the risks and planning what to do about it. In the next post, I will explore Risk Terminology. I think it is important to have a clear understanding on the concepts involved in qualifying, describing and understanding Risks.
Stay tuned and stay secure!
Pingback: A Simple Guide To Understand Risk Management Jargon Without The Headache - secbystep.com
Pingback: The CIA triad exposed by a Security adventurer - secbystep.com