Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

The CEO’s Data Breach Dilemma

Very little will get a board of directors’ attention as quickly as a cyber data breach with its attendant risks of damage to market capitalization, competitive advantage and brand reputation. Not to mention that there can be financial consequences reaching perhaps into the billions of dollars.

Very little will get a board of directors’ attention as quickly as a cyber data breach with its attendant risks of damage to market capitalization, competitive advantage and brand reputation. Not to mention that there can be financial consequences reaching perhaps into the billions of dollars.

An increasing number of American CEO’s may arrive at their offices each morning contemplating this ever-so imminent enterprise-wide risk. It is a risk in which they have little if any experience, for which they hold only limited answers, but one for which they will ultimately be held accountable.

Cybersecurity, once seen as a matter of compliance, has become a business imperative, a once-considered drain on corporate resources which now tops the executive management agenda. A cyber breach engulfs and diverts the attention, time and resources of the entire enterprise, unleashing a torrent of pressures from customers, investors, regulators, legal firms, business suppliers and partners when it occurs.

Data Breach NotificationAn increasing wave of data breaches, stretching from those against Target Stores to the more recent attacks against SuperValue, home improvement giant Home Depot, and most recently banker JPMorgan and others can only raise levels of CEO angst throughout corporate America.

The JPMorgan customer data theft – involving more than 80 million customers – is of particular concern. In a recent SecurityWeek comment, Steve Hultquist, chief evangelist at RedSeal Networks gives this perspective: “The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization. This breach demonstrates that even the best reactive technology and processes aren’t enough.”

That observation provides little comfort to the CEO, whose challenge includes choosing between a mind-bending array of cybersecurity technologies, tools and processes – choices which will set the direction of his organization’s information protection strategy for years in the future. In other words, a critical but risky venture for both CEO and the organization.

Carl Wright, former chief information security officer of the U.S. Marine Corps, sums up the CEO’s quandry thusly: “This is the most dangerous time we have had as a country, specific to cyber. The reason is that we have senior leadership in corporations and government who are barely IT-literate. They are approving policies and making decisions they truly don’t understand.”

Possessing limited knowledge and an array of choices, yet knowing he will be judged on how he responds to a cyber breach, what is the embattled CEO to do? For some answers I contacted Rebecca Scorzato, Director of Crisis and Security Consulting for global risk management firm Control Risk. Scorzato responded with a theme of hope: “Executing a successful cyber breach response lies within the reach of every chief executive.” Her comments:

“Primarily as a result of the waves of cyberattacks over the past year, senior corporate executives are realizing that in the event of a serious breach they are the ones held accountable. They are the ones who will be interfacing with customers, investors, regulators, business partners and the media. It is their jobs that are at stake. They want to be ready.”

Advertisement. Scroll to continue reading.

But realizing is not action, and what assurance is there that any action undertaken will necessarily be effective?

“The key to a successful cyber breach response lies in preparation and practice,” she replies. “Those organizations with effective crisis-response plans typically conduct strategic exercises where the executive team conducts a scripted ‘dress rehearsal,’ operating as it would during an actual crisis. It’s much like the adage, ‘Fight as you train; Train as you fight.’

“And dress rehearsal means all hands on deck. All necessary internal and external resources – risk management, legal, PR, human resources, investor relations, regulatory, insurance, the CIO, and the chief information security officer (if one is in place) – should be involved. The IT incident response team should also be conducting their own exercise to ensure their breach defense and remediation efforts are in synch with the actions the organization is taking.”

Asked about key tips for ensuring success in such an exercise, Scorzato replies, “First, the key to such success lies in the preparation. This is where senior executives have gone through the challenging strategic decision-making for their organization’s cyber incident response plan as a group. The teamwork involved here is critical to successful response when a breach occurs. Second, it is a mistake to treat this as an IT readiness exercise; it is an organization readiness exercise.”

Point well made, especially when considering that to achieve optimum performance sports teams practice their plays, military units practice their maneuvers and rock bands practice their performances. Those CEO’s deliberating over steps to take for improving cyber breach response preparedness might take note.

As a final question I ask Scorzato if she had seen senior executive interest in preparing for response to cyber breaches increase in recent months. “Without question,” she replies. “And for good reason.”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...