Very little will get a board of directors’ attention as quickly as a cyber data breach with its attendant risks of damage to market capitalization, competitive advantage and brand reputation. Not to mention that there can be financial consequences reaching perhaps into the billions of dollars.
An increasing number of American CEO’s may arrive at their offices each morning contemplating this ever-so imminent enterprise-wide risk. It is a risk in which they have little if any experience, for which they hold only limited answers, but one for which they will ultimately be held accountable.
Cybersecurity, once seen as a matter of compliance, has become a business imperative, a once-considered drain on corporate resources which now tops the executive management agenda. A cyber breach engulfs and diverts the attention, time and resources of the entire enterprise, unleashing a torrent of pressures from customers, investors, regulators, legal firms, business suppliers and partners when it occurs.
The JPMorgan customer data theft – involving more than 80 million customers – is of particular concern. In a recent SecurityWeek comment, Steve Hultquist, chief evangelist at RedSeal Networks gives this perspective: “The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization. This breach demonstrates that even the best reactive technology and processes aren’t enough.”
That observation provides little comfort to the CEO, whose challenge includes choosing between a mind-bending array of cybersecurity technologies, tools and processes – choices which will set the direction of his organization’s information protection strategy for years in the future. In other words, a critical but risky venture for both CEO and the organization.
Carl Wright, former chief information security officer of the U.S. Marine Corps, sums up the CEO’s quandry thusly: “This is the most dangerous time we have had as a country, specific to cyber. The reason is that we have senior leadership in corporations and government who are barely IT-literate. They are approving policies and making decisions they truly don’t understand.”
Possessing limited knowledge and an array of choices, yet knowing he will be judged on how he responds to a cyber breach, what is the embattled CEO to do? For some answers I contacted Rebecca Scorzato, Director of Crisis and Security Consulting for global risk management firm Control Risk. Scorzato responded with a theme of hope: “Executing a successful cyber breach response lies within the reach of every chief executive.” Her comments:
“Primarily as a result of the waves of cyberattacks over the past year, senior corporate executives are realizing that in the event of a serious breach they are the ones held accountable. They are the ones who will be interfacing with customers, investors, regulators, business partners and the media. It is their jobs that are at stake. They want to be ready.”
But realizing is not action, and what assurance is there that any action undertaken will necessarily be effective?
“The key to a successful cyber breach response lies in preparation and practice,” she replies. “Those organizations with effective crisis-response plans typically conduct strategic exercises where the executive team conducts a scripted ‘dress rehearsal,’ operating as it would during an actual crisis. It’s much like the adage, ‘Fight as you train; Train as you fight.’
“And dress rehearsal means all hands on deck. All necessary internal and external resources – risk management, legal, PR, human resources, investor relations, regulatory, insurance, the CIO, and the chief information security officer (if one is in place) – should be involved. The IT incident response team should also be conducting their own exercise to ensure their breach defense and remediation efforts are in synch with the actions the organization is taking.”
Asked about key tips for ensuring success in such an exercise, Scorzato replies, “First, the key to such success lies in the preparation. This is where senior executives have gone through the challenging strategic decision-making for their organization’s cyber incident response plan as a group. The teamwork involved here is critical to successful response when a breach occurs. Second, it is a mistake to treat this as an IT readiness exercise; it is an organization readiness exercise.”
Point well made, especially when considering that to achieve optimum performance sports teams practice their plays, military units practice their maneuvers and rock bands practice their performances. Those CEO’s deliberating over steps to take for improving cyber breach response preparedness might take note.
As a final question I ask Scorzato if she had seen senior executive interest in preparing for response to cyber breaches increase in recent months. “Without question,” she replies. “And for good reason.”