Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

The CEO’s Data Breach Dilemma

Very little will get a board of directors’ attention as quickly as a cyber data breach with its attendant risks of damage to market capitalization, competitive advantage and brand reputation. Not to mention that there can be financial consequences reaching perhaps into the billions of dollars.

Very little will get a board of directors’ attention as quickly as a cyber data breach with its attendant risks of damage to market capitalization, competitive advantage and brand reputation. Not to mention that there can be financial consequences reaching perhaps into the billions of dollars.

An increasing number of American CEO’s may arrive at their offices each morning contemplating this ever-so imminent enterprise-wide risk. It is a risk in which they have little if any experience, for which they hold only limited answers, but one for which they will ultimately be held accountable.

Cybersecurity, once seen as a matter of compliance, has become a business imperative, a once-considered drain on corporate resources which now tops the executive management agenda. A cyber breach engulfs and diverts the attention, time and resources of the entire enterprise, unleashing a torrent of pressures from customers, investors, regulators, legal firms, business suppliers and partners when it occurs.

Data Breach NotificationAn increasing wave of data breaches, stretching from those against Target Stores to the more recent attacks against SuperValue, home improvement giant Home Depot, and most recently banker JPMorgan and others can only raise levels of CEO angst throughout corporate America.

The JPMorgan customer data theft – involving more than 80 million customers – is of particular concern. In a recent SecurityWeek comment, Steve Hultquist, chief evangelist at RedSeal Networks gives this perspective: “The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization. This breach demonstrates that even the best reactive technology and processes aren’t enough.”

That observation provides little comfort to the CEO, whose challenge includes choosing between a mind-bending array of cybersecurity technologies, tools and processes – choices which will set the direction of his organization’s information protection strategy for years in the future. In other words, a critical but risky venture for both CEO and the organization.

Carl Wright, former chief information security officer of the U.S. Marine Corps, sums up the CEO’s quandry thusly: “This is the most dangerous time we have had as a country, specific to cyber. The reason is that we have senior leadership in corporations and government who are barely IT-literate. They are approving policies and making decisions they truly don’t understand.”

Possessing limited knowledge and an array of choices, yet knowing he will be judged on how he responds to a cyber breach, what is the embattled CEO to do? For some answers I contacted Rebecca Scorzato, Director of Crisis and Security Consulting for global risk management firm Control Risk. Scorzato responded with a theme of hope: “Executing a successful cyber breach response lies within the reach of every chief executive.” Her comments:

“Primarily as a result of the waves of cyberattacks over the past year, senior corporate executives are realizing that in the event of a serious breach they are the ones held accountable. They are the ones who will be interfacing with customers, investors, regulators, business partners and the media. It is their jobs that are at stake. They want to be ready.”

Advertisement. Scroll to continue reading.

But realizing is not action, and what assurance is there that any action undertaken will necessarily be effective?

“The key to a successful cyber breach response lies in preparation and practice,” she replies. “Those organizations with effective crisis-response plans typically conduct strategic exercises where the executive team conducts a scripted ‘dress rehearsal,’ operating as it would during an actual crisis. It’s much like the adage, ‘Fight as you train; Train as you fight.’

“And dress rehearsal means all hands on deck. All necessary internal and external resources – risk management, legal, PR, human resources, investor relations, regulatory, insurance, the CIO, and the chief information security officer (if one is in place) – should be involved. The IT incident response team should also be conducting their own exercise to ensure their breach defense and remediation efforts are in synch with the actions the organization is taking.”

Asked about key tips for ensuring success in such an exercise, Scorzato replies, “First, the key to such success lies in the preparation. This is where senior executives have gone through the challenging strategic decision-making for their organization’s cyber incident response plan as a group. The teamwork involved here is critical to successful response when a breach occurs. Second, it is a mistake to treat this as an IT readiness exercise; it is an organization readiness exercise.”

Point well made, especially when considering that to achieve optimum performance sports teams practice their plays, military units practice their maneuvers and rock bands practice their performances. Those CEO’s deliberating over steps to take for improving cyber breach response preparedness might take note.

As a final question I ask Scorzato if she had seen senior executive interest in preparing for response to cyber breaches increase in recent months. “Without question,” she replies. “And for good reason.”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.