For years, the security community and regulators have been warning that things are starting to get serious and that “plausible deniability” for executives no longer exists when it comes to lapses in network security. Some heeded the warnings, most did not, and as a result we are starting to see the ramifications of a tougher emphasis on security.
Not only are executives facing increased scrutiny from authorities and Congress, but they are now squarely in the crosshairs of their own board members and shareholders who are frustrated and moved to action by any loss of value tied to security issues. While this is certainly not the first domino to fall, it may be the highest profile to date. The announcement within the last couple weeks that Target Corporation chairman and CEO, Gregg Steinhafel was forced to resign in response to a massive data breach was the proverbial “shot heard round the world,” and the C-Suite is directly in its sightline.
By all accounts that I’ve read, Mr. Steinhafel was an excellent executive who was respected by employees and investors alike. So if it can happen to him, it can surely happen to any executive, at any company, in any market.
The following is an excerpt from a Bloomberg Businessweek story on May 5, 2014.
Headline: As Data Breach Woes Continue, Target's CEO Resigns
Target’s chairman and chief executive officer, Gregg Steinhafel, a 35-year company veteran, is stepping down, as the massive pre-Christmas data breach suffered by the Minnesota retailer continues to roil the company. The decision is effective immediately, according to a statement posted today on the company’s website. John Mulligan, Target’s chief financial officer, has been appointed as interim president and CEO.
Steinhafel “held himself personally accountable and pledged that Target would emerge a better company,” following the breach, the statement said. “We are grateful to him for his tireless leadership and will always consider him a member of the Target family.”
This is the type of headline that should get the attention of every executive in America. Nobody wants to see the career that they have built and cultivated go up in flames due to a data breach. While Mr. Steinhafel was the unfortunate example in this particular case, he may end up being one of the more important figures in the battle for cyber relevancy within corporations.
In a security career that spans more than 25 years, if there is one undeniable fact I’ve come to accept it’s that senior executives don’t respond well to potential vulnerabilities or statistics around what “could” happen. If you want to get their attention, you need to tie security activities to business operations and prove demonstrably that a large-scale security incident can negatively affect company value and jobs.
A couple of years back we conducted a third party survey that highlighted the disconnect that exists between the CEO and the CISO when it comes to making cyber security a priority for the organization. While everyone paid sufficient lip service to the issue, the data highlighted that security was still an undervalued and misunderstood element to business operations. In covering the results of the survey, All Things D referred to it as: Talking About Security Bores the Boss.
While companies have certainly made strides in this area since we initially released these results, we are still lagging behind where we need to be to ensure that these types of breaches don’t become the norm. Target may have suffered the highest price since the infamous TJX breaches several years ago, but they are far from alone on this issue.
The fall of a high-profile CEO due to security concerns makes me envision a scenario where security is now given a more prominent role on the executive team, with more emphasis placed on avoiding the breach in the first place rather than trying to conduct damage control after the fact.
It often takes a high impact incident to create change. I would imagine that upon hearing about the outcome of the Target breach, executive teams everywhere are giving serious consideration to adding a seat at the table for security and avoiding a similar fate.
Related Reading: Target CEO Exit Highlights Business Side of Security