Separation of Duties in Cyber

For those in the cyber security profession who have experience of fraud investigations and fraud prevention, the concept and operation of ‘separation of duties’, otherwise known as ‘segregation of duties’, will be familiar.

Separation of duties is an important concept of internal controls. It gives improved protection from fraud and errors. Whilst this must be balanced with potential increased cost and effort required, it is my experience that well planned and executed separation of duties should provide benefits that far outweigh any downside.

In the rapidly growing field of cyber risk management, the need for separation of duties has not yet been fully realised. Activities such as privilege management and software development & QA do, or should, adopt such separation to maintain integrity and accountability of operations.

One area where separation of duties is of utmost importance is in segregation between monitoring for cyber attacks; MDR/SOC etc., and independent Cyber Incident Response (CIR), specifically the investigation of serious?incidents.

A conflict of interest can arise when MSSPs offer both monitoring and CIR. This is illustrated by considering what happens when a cyberattack is successful. For example, when an attack is not detected, alerted or sufficiently blocked, resulting in a serious security incident. One can envision a situation where MSSPs fail to report oversights in monitoring when they are also assigned to investigate such incidents.

Of the incidents we independently investigated in 2024, three involved precisely this scenario where it was clear that the MSSPs involved were concerned about revealing such oversights due to concerns over potential liability and insurance issues.

When implementing separation of duties, protocols will be required to effect smooth transition of more serious incidents between MSSPs and independent CIR experts but these should simply be variations of escalation processes already in place as part of a good CIR plan.

It may, for instance, be an acceptable risk if the MSSP is tasked with managing low-level incidents; perhaps of a certain type, but that as soon as defined thresholds are reached, there is a need to activate an independent CIR team. An example of such a need for escalation may be when an incident involves unauthorised access to sensitive data, or when there has been a material impact (many class this as a P1 incident) on the business.

Ensuring independence in cyber incident response is crucially important if an organisation wants to truly understand the ‘what’, ‘when’, ‘where’, ‘why’, ‘who’ and ‘how’ aspects of a cyber incident.

Increased costs and effort to achieve separation of duties are worth noting. Many MSSPs bundle CIR into their MDR/SOC offerings, sometimes heavily discounting the CIR element as a carrot to win business. However, this is often not in the best-interests of the client and so it is important that organisations procuring such services assess their specific need for investigatory independence and consider the conflict of interest, the risks, and professional ethics of such single supplier reliance.

Optimal use of cybersecurity budgets is clearly a key aim of any organisation. Segregation between monitoring and incident response need not be more expensive when split between two suppliers and the independence gained may well be worth the effort. Additionally, independent CIR providers can generally respond to security incidents outside of the capability of most MSSPs. Examples here include lost devices, frauds or hybrid corporate and physical security incidents which occur a long way outside the detection of MDR.

In conclusion, it is clear that the developing cybersecurity profession needs to consider and adopt the concept of separation of duties in support of best practice, similar to where it is used effectively in many other areas of operational risk management.

Those who are tasked with formulating and disseminating cyber standards and best-practice also need to consider where separation of duties has an important role to play in ensuring both integrity and accountability in the effective management of cyber risk.