Connect with us

Hi, what are you looking for?


Incident Response

Critical Lessons from Suits & Spooks NYC: Making Data Breaches Survivable Events

“Those in executive management who view data breaches as an IT problem rather than an enterprise risk issue do so at their own risk.”

“Those in executive management who view data breaches as an IT problem rather than an enterprise risk issue do so at their own risk.”

With what may have been a subtle reference to former Target Stores CEO Greg Steinhafel, who lost his job from his handling of cyber attacks, speaker and panelist Rebecca Scorzato set the stage for her opening comments at July’s exceptional Suits & Spooks cybersecurity forum in New York. 

Suits and Spooks New YorkScorzato, who is Director of Crisis and Security Consulting for global risk management firm Control Risks, offered three principles to those in senior management facing the increasingly difficult task of securing the organization’s information assets from cyber breaches.

Principle oneEmbrace the fact that cybersecurity involves cross-functional, high-stakes risks placing it squarely as a CEO and board-level issue:

“To have any chance at being effective,” Scorzato continued, “preparation for data breaches must be enterprise risk-driven rather than cybersecurity tool-driven.”  Efforts to protect information assets with an all-inclusive protective ‘perimeter’ do not take into account definition of asset priorities that the CEO must direct, and will ultimately fail.  Consulting firm McKinsey & Co. refers to this thinking as “business back” rather than “technology forward.”

Principle twoObtain explicit buy-in from managers at senior levels that ownership of protecting information assets belongs to them.

IT is a critical technology support function, advisor and partner needed for information protection and response, but does not fully own the risks being protected. Without business unit ownership of cybersecurity, protection of risks is outsourced to those not ultimately responsible and can leave critical assets vulnerable.

Principle threeEnsure roles and responsibilities following a cyber breach are made crystal clear and are updated frequently. Many cybersecurity plans fail in their mission because of this laxness of operation.

Advertisement. Scroll to continue reading.

“Business units’ cyber breach plans should be practiced before the attack occurs,” she emphasized. “Both internal resources and external agencies – accounting firms, crisis consultants, legal counsel, PR firms – must be involved in such exercises.” 

Being specific in clarifying responsibilities will incur expenses on the front end but will be insignificant compared to the customer relations, recovery, technology and other costs from cleaning up breaches after their occurrence. Target Stores’ sales dropped 2.5% while profits plunged 49% during the critical fourth Christmas quarter as a result of their cyber data theft.

In a 2014 study on cybersecurity practices, McKinsey & Co. reported that “nearly 80 percent of technology executives said that they cannot keep up with attackers’ increasing sophistication.” A recent Forbes article entitled “Why Cyber Security Is Not Enough,” hit the cyber vulnerability nail on the head in a different way, stating that “They [the attackers] have the innovation, they have the timing, and they’ve got the target.” 

The significance of these perspectives places Ms. Scorzato’s comments even more clearly in perspective for organizations of any size, in any industry.

But regardless of such findings and clear evidence of rising risks from cyberattacks, many organizations will still have disbelievers – the Sales & Marketing VP who doesn’t want cybersecurity responsibilities to distract his people from closing deals, the procurement head who insists his systems are “locked down tight” and need no more protection. This is where the CEO’s strength of commitment will be tested and the cyber security plan for the enterprise put to the test.

“In the end,” Ms. Scorzato concluded, “cyber security is as much a leadership issue as it is a technology issue. The CEO must set the tone and lead the organization’s approach to cyber security if he expects those in his C-suite to do the same.” 

In today’s risk-filled world those who do not heed this advice may find their careers as much at risk as the information assets they are entrusted to protect.

Join the Next Suits and Spooks Event in London on September 12, 2014

Join Suits and Spooks in Singapore on December 14, 2014

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.