“Those in executive management who view data breaches as an IT problem rather than an enterprise risk issue do so at their own risk.”
With what may have been a subtle reference to former Target Stores CEO Greg Steinhafel, who lost his job from his handling of cyber attacks, speaker and panelist Rebecca Scorzato set the stage for her opening comments at July’s exceptional Suits & Spooks cybersecurity forum in New York.
Principle one: Embrace the fact that cybersecurity involves cross-functional, high-stakes risks placing it squarely as a CEO and board-level issue:
“To have any chance at being effective,” Scorzato continued, “preparation for data breaches must be enterprise risk-driven rather than cybersecurity tool-driven.” Efforts to protect information assets with an all-inclusive protective ‘perimeter’ do not take into account definition of asset priorities that the CEO must direct, and will ultimately fail. Consulting firm McKinsey & Co. refers to this thinking as “business back” rather than “technology forward.”
Principle two: Obtain explicit buy-in from managers at senior levels that ownership of protecting information assets belongs to them.
IT is a critical technology support function, advisor and partner needed for information protection and response, but does not fully own the risks being protected. Without business unit ownership of cybersecurity, protection of risks is outsourced to those not ultimately responsible and can leave critical assets vulnerable.
Principle three: Ensure roles and responsibilities following a cyber breach are made crystal clear and are updated frequently. Many cybersecurity plans fail in their mission because of this laxness of operation.
“Business units’ cyber breach plans should be practiced before the attack occurs,” she emphasized. “Both internal resources and external agencies – accounting firms, crisis consultants, legal counsel, PR firms – must be involved in such exercises.”
Being specific in clarifying responsibilities will incur expenses on the front end but will be insignificant compared to the customer relations, recovery, technology and other costs from cleaning up breaches after their occurrence. Target Stores’ sales dropped 2.5% while profits plunged 49% during the critical fourth Christmas quarter as a result of their cyber data theft.
In a 2014 study on cybersecurity practices, McKinsey & Co. reported that “nearly 80 percent of technology executives said that they cannot keep up with attackers’ increasing sophistication.” A recent Forbes article entitled “Why Cyber Security Is Not Enough,” hit the cyber vulnerability nail on the head in a different way, stating that “They [the attackers] have the innovation, they have the timing, and they’ve got the target.”
The significance of these perspectives places Ms. Scorzato’s comments even more clearly in perspective for organizations of any size, in any industry.
But regardless of such findings and clear evidence of rising risks from cyberattacks, many organizations will still have disbelievers – the Sales & Marketing VP who doesn’t want cybersecurity responsibilities to distract his people from closing deals, the procurement head who insists his systems are “locked down tight” and need no more protection. This is where the CEO’s strength of commitment will be tested and the cyber security plan for the enterprise put to the test.
“In the end,” Ms. Scorzato concluded, “cyber security is as much a leadership issue as it is a technology issue. The CEO must set the tone and lead the organization’s approach to cyber security if he expects those in his C-suite to do the same.”
In today’s risk-filled world those who do not heed this advice may find their careers as much at risk as the information assets they are entrusted to protect.
Join the Next Suits and Spooks Event in London on September 12, 2014
Join Suits and Spooks in Singapore on December 14, 2014