Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA's Virtual AI Summit to discover AI's business impact, tackle security challenges, and ensure compliance with evolving regulations.

Lanes in the Road: How Small and Medium Businesses Can Allocate Cybersecurity Responsibility

Published 01/06/2025

Home
Industry Insights
Lanes in the Road: How Small and Medium Businesses Can Allocate Cybersecurity Responsibility

Originally published by Scrut Automation.

Written by Nicholas Muy, Chief Information Security Officer, Scrut Automation.


After suffering a devastating ransomware attack in early 2023, the law firm Mastagni Holstedt turned around and sued its Managed Service Provider (MSP), LanTech. While the legal case is still open, some important details from it illustrate key lessons for small and medium businesses (SMBs) when it comes to cybersecurity.

First of all, the law firm and MSP appear to have only had a verbal contract to provide services. This makes it very difficult to determine who was accountable for doing what.

Additionally, the law firm found out that its backups stored with the service provider, Acronis, had been deleted prior to the activation of the ransomware. This is a common technique for ransomware gangs. They understand that if a victim has backups of its data, the ransom demand will not be especially effective.

Acronis noted, however, that legitimate credentials from the firm were used to delete the backups. It’s hard to fault a software provider for allowing access to a user with valid credentials, even if it later became clear that the user was acting maliciously. On the other hand, if the reverse occurred—where Mastagni Holstedt needed to access its backups but was denied due to a false positive flag for suspicious activity—it’s easy to imagine the law firm being just as frustrated.

Unfortunately, such confusion is common in the security world. So in this post, we’ll look at some common techniques for assigning roles and responsibilities when it comes to managing cybersecurity, compliance, and privacy risk. Many of the suggestions are applicable both internally and externally to employees, contractors, vendors, and even customers.


Step 1: Use RACI to clearly define roles

RACI helps assign roles and tasks related to risk management

The first step toward building cybersecurity responsibility is providing an excellent framework for assigning tasks related to risk management. Let’s leverage the RACI matrix to streamline role assignments and enhance accountability in cybersecurity tasks.

For example, assume a company must collect compliance-related documentation before an upcoming audit. It could allocate duties in the following way:

  • Responsible: Governance, Risk, and Compliance (GRC) analysts - Individual contributors like these analysts would be responsible for collecting the evidence, adding it to the appropriate repositories, and confirming the completion of the work. Alternatively, they could likely automate most of this process if they have the right tools.
  • Accountable: Director of GRC - This person likely wouldn’t be doing the work personally but would be accountable for achieving the final goal. Only one person can hold this role, as it requires making decisions that impact the task’s outcome.
  • Consulted: Individual business unit leaders - Collecting evidence will likely require the GRC analysts to access various systems, many of which will be owned by other business units like marketing, human resources, and information technology. Thus, the heads of these organizations will require consultation to ensure they are aligned and supporting the mission.
  • Informed: Vice President (VP) of Operations - Finally, the VP of Operations is unlikely to be involved in the day-to-day evidence collection operation but will have a vested interest in the outcome. Thus, this person should be informed upon completion or if the team encounters any problems requiring additional assistance.

An effective RACI matrix clarifies accountability, reduces uncertainty, and speeds up task completion. Similarly, risk ownership is a process that benefits greatly from a structured approach.


Step 2: Document risk ownership clearly using a single source of truth

As an organization grows and matures, it will identify more security and compliance risks. While this is normal, the key is managing these risks effectively. We’ve already discussed the four ways in which businesses can do so (accept, mitigate, transfer, and avoid). But in this section, we’ll discuss how they can track these types of decisions effectively.

A risk register is at the center of a risk ownership program. It is the single source of truth that identifies all of a company’s potential issues, who is accountable for (or owns) them, what decision that person has made about the risk, and when to revisit that decision.

By clarifying things in this manner, everyone in the organization can have an informed discussion about the business's challenges, the resources available to tackle them, and the most efficient way to use them.

Practices to avoid

Using a purpose-built GRC tool can save you huge amounts of time and effort when constructing your risk register. And it can help you avoid some of these common pitfalls.


Step 3: Vet third parties

In addition to measuring risks posed by internal factors (employee awareness, vulnerabilities in self-hosted applications, lack of appropriate policies and procedures, etc.), understanding external factors is equally — and potentially more — important from a risk assignment perspective.

Third parties, such as vendors and open-source projects, can introduce substantial risks into your supply chain and business operations. Developing an effective set of tools to measure this risk can help you make informed decisions.

Some example practices include:

  • Sending security questionnaires to vendors with access to business-critical data to understand their access control, disaster recovery, encryption, vulnerability management, and related procedures. Tracking their responses in a single place becomes increasingly vital as you scale.
  • Reviewing third-party attestation reports like System and Organization Controls (SOC) 2, and certifications like ISO 27001. While not foolproof, these standards require adhering to a minimum baseline of security, privacy, and compliance practices.
  • Using a security ratings tool to understand vendor risk dynamically. Different offerings exist to help companies understand the relative security posture of their suppliers. These tools monitor things like open ports, unpatched vulnerabilities, and similar external indicators of the relative risk posed to a network.

While knowing is half the battle, the other half is equally important. This consists of actually doing something about the risks you’ve identified.


Step 4: Distribute risk using contracts

As Mastagni Holstedt discovered, its expectations of what its MSP would offer in terms of security protections varied greatly from what the law firm actually got. Without a formal written contract, it’s highly likely both parties had different understandings about their roles and responsibilities.

Contracts are the best way to clarify mutual understanding about each party’s responsibilities when it comes to security and compliance. Some examples of how to use a contract this way include:

  • Requiring a vendor to maintain ISO 27001 certification as a condition of continued business. Because the standard requires annual surveillance audits, a contractual requirement like this can help to prevent a vendor from experiencing “configuration drift,” where the day-to-day realities of business operations mean that its security posture degrades over time.
  • Establishing service level agreements (SLA) regarding data confidentiality, integrity, and availability. While SLAs addressing the latter are most common, it is certainly conceivable that organizations could assign risks related to data breaches or corruption using an SLA.
  • Mandating that a vendor participates in your organization’s bug bounty program. While running a bug bounty program requires a high level of maturity, it makes sense to include key parts of your supply chain once it is up and running. By paying ethical hackers to identify flaws in both your and your suppliers’ networks, you can help to improve everyone’s security.


Step 5: Apply compensating controls

If, after doing all of the above, however, you determine that there is still unmanaged risk, you have some difficult choices to make. Aside from terminating the vendor contract (avoiding the risk) or just accepting the residual risk, you can take creative approaches to deal with it.

  • If you're concerned about a vendor’s data security practices but still need to use their services, you might consider risk mitigation strategies like double encryption. This approach allows you to apply an additional encryption layer—managed with your own keys—beneath the vendor’s existing encryption on data stored within their systems. Although this can present logistical challenges, it offers an extra layer of protection, giving you greater confidence in the security of your data in the event of a breach.
  • Alternatively, you may simply decide to increase your cyber insurance coverage as a result of security gaps you identify in a vendor. Using this additional cost as leverage during negotiations can help you to offset some or all of the increased premium. Additionally, this will likely encourage the vendor to address the underlying security issue.


Conclusion

Confusion and ambiguity are just part of life when it comes to business, which also extends to security. With that said, maximizing clarity to the utmost extent possible will go a long way toward improving your GRC program. When all stakeholders, internal and external, fully understand what is expected of them, they are best equipped to achieve their goals.


About the Author

author headshot

Nicholas Muy is the Chief Information Security Officer at Scrut Automation, where he leads cybersecurity, data privacy, and compliance. A vocal advocate within the security community for building security programs that align to business objectives. Previously a security and strategy leader at Expedia Group in security engineering and architecture and M&A. Prior to this, a cyber policy strategist in the U.S. Department of Homeland Security. Passionate about security, Nicholas is an active member within the security and technology community promoting responsible innovation and building security.
ComplianceEnhancing cloud security strategyRisk ManagementStandards

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Register for CSA’s Virtual FinCloud Security Summit
Key Management for Public Cloud Migration
Cloud Security for Startups 2024
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Your Essential 10-Step GDPR Compliance Checklist

Published: 01/07/2025

Navigating Cloud Challenges with Repatriation

Published: 01/07/2025

Global Data Sovereignty: A Comparative Overview

Published: 01/06/2025

The Critical Role of OT Security in the Oil and Gas (O&G) Industry

Published: 01/03/2025