RSA Survey: Chief Information Security Officers Bear Brunt of Data Breach Responsibility

Tripwire survey examines views of information security professionals at annual IT security conferences

Portland, Ore.— April 29, 2015— Tripwire, Inc., a leading global provider of advanced threat, security and compliance solutions, today announced the results of a survey of 250 attendees at RSA Conference USA 2015 and BSidesSF 2015 in San Francisco, California.

In spite of pervasive vulnerability to devastating cyber attacks across a broad range of industries, information security experts attending two of the industry’s leading conferences believe that C-level technology executives would and should be held responsible for data breaches, according to the survey.

When asked, “Who would be held responsible in the wake of a data breach on critical infrastructure in your organization,” 41 percent of survey respondents said “CIO, CISO or CSO.” When asked, “Who should be held responsible in the wake of a data breach on critical infrastructure in your organization,” 35 percent said “CIO, CISO or CSO.” Only 18 percent of respondents believe the chief executive officer would be held responsible and only 10 percent believe the company board would be held responsible.

“Cyber security liability is difficult to assign because you have to determine who knew about the risks, and then you have to figure out what they did, or did not do about them,” said Ken Westin, senior security analyst for Tripwire. “If the CEO is made aware that of security risks and does not provide the resources or plans to fix them, they own some of the responsibility. On the other hand, if the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of the responsibility falls on her. However, cyber security is a team sport that requires active support across the organization and from all levels of the executive team.”

For more information, please visit:

About Tripwire

Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics. Learn more at, get security news, trends and insights at or follow us on Twitter @TripwireInc.

Press Contacts

Ray Lapena
PR Manager