2025-10-31 –, Main Hall
It's so easy to pawn off responsibility to someone else. We all do it at some point. But at what point do we need to be responsible? And who needs to be responsible? Quite often on projects we work with a whole lot of different people, teams or organisations for the same end result. These days a project can have the business owner, the project team, IT, architects, P&C, some SaaS providers, an MSP, an MSSP, why not throw in the whole alphabet with an IaaS platform and a security consultancy to do the independent assurance (Hi!).
Who really is responsible? What are they responsible for? And what are our responsibilities to one another? Let's talk about it (and if your answer is the CISO, 9 / 10 you are probably wrong).
This talk will delve into who really is responsible from both an internal and external perspective and why you should ultimately care. While we are more likely to consider responsibility when it comes to managing supply chains, it is less thought about when operating systems and delivering projects. There's a lot of talk around 'project control's, 'enterprise controls' and 'vendor controls', which can allow for things to fall through the cracks.
We will discuss the challenges, highlight some common pitfalls I see as an auditor, and suggest some possible ways forward to understanding that responsibility.
