The resignation of Target Corp. CEO Gregg Steinhafel earlier this week indicates a growing awareness among the C-suite and boards that security is intimately intertwined with business strategy and should be viewed as a board-level issue.
“Cyber-security is now a Board and C-level issue, but that wasn’t always the case,” Shawn Henry, CSO of CrowdStrike and president of the company’s services division. “Cybersecurity is no different than any other risk a company faces today.”
Very few CEOs of major companies are familiar with their own security operations, leaving the management and oversight entirely to the IT organization. The lack of visibility means the CEO and other senior executives frequently are not aware of security risks that could significantly impact business goals and operations. However, cyber-threats have become so pervasive and cause such damage to brands that CEOs and board members cannot afford to continue being hands-off.
CEOs need to realize they cannot prevent attacks from occurring, and understand that everyone owns the data and needs to take part in protecting it. They need to learn how to respond during a breach and to effective communicate the situation to customers, partners, shareholders, and employees. Handling security incidents should become just another business process like payroll management.
“The gauntlet has been laid down for all executives that process and store sensitive information that CEOs can no longer pay attention to security only when there is a problem,” said JD Sherry, vice-president of technology and services at Trend Micro.
Indirect Costs of the Breach
It’s important to remember that the CEO did not resign just because Target suffered a data breach. “We don’t fire the CEOs of banks every time a bank gets robbed,” Henry said. There were many factors affecting Target’s performance that led to the resignation, and the fact that Target’s sales, profit and stock price have all suffered in the five months since the breach was first discovered just happened to be one of them.
“Data breaches of this nature have significant impact not just on reputation (and therefore stock price) but also on customer and board confidence in the leadership of the organization,” said Steve Durbin, global vice-president of the Information Security Forum.
While organizations are beginning to understand the impact a data breach can have on the brand and customer confidence, there is still a disconnect. Nearly 80 percent of responders in a recent Websense/Ponemon survey (PDF) of 5,000 global IT security practitioners said their company’s leaders did not equate losing confidential data with a potential loss of revenue. A data breach assessment is not just about the number of records stolen, people impacted, or systems damaged. The company has to address consumer confidence and show they are taking steps to learn from the incident and fix the issues.
Understanding the Risks
The Target breach was a “watershed event” for retailers, as it drove home how vulnerable they are, even if they meet compliance rules and invest in security. There have been similar turning points for other industry sectors over the past year-and-a-half, such as the series of disruptive distributed denial-of-service (DDoS) attacks against financial services organizations and the massive case of insider theft in the government sector by ex-NSA contractor Edward Snowden.
“If there was any remaining doubt, this clearly demonstrates that security is a business issue and must be taken seriously by boards,” Durbin said.
In the Websense/Ponemon survey, 48 percent of respondents said board-level executives had “a sub-par understanding” of security issues. While awareness has most likely increased over the past few years, the number is still distressingly high.
Boards of directors and CEOs need to be thinking about security from a business perspective. This includes a comprehensive risk assessment that includes cyber-risks, and the willingness to build a cyber-resilience approach. CEOs need to consider cybersecurity within several contexts, including crisis management, business continuity, disaster recovery, and business and shareholder communication.
Organizations are thinking harder about how they interact with suppliers and customers, Mike Ellis, CEO of ForgeRock said. Security is not just about looking at what employees are doing, or protecting customer data, but also looking at supplier networks and relationships with contractors.
“As business leaders, CEOs need to handle cyber risks just as they would any other risk to the organization,” Henry said.
Getting the House in Order
“Because incidents of major breaches and vulnerabilities seem to be happening more frequently, the expectation is we should ‘figure it out’ as we’ve been on notice for a while,” said Craig Carpenter, chief cybersecurity strategist at AccessData. The problem is that many organizations have been focused on a prevention-only strategy and are just now shifting to a prevent-and-detect strategy, he said.
Organizations have to plan for the unexpected and to have processes in place that allow for timely and effective responses to breaches that go much further than simply getting systems back up and running, Durbin said. Instead of prevention, the focus has to be on detection, investigation, remediation, and resolution. Since these are business-based decisions, “it is right and proper” that the leadership take responsibility for these decisions.
To be effective, “companies will need to have their security house in order in the first place,” Carpenter said.
Related Reading: Sooner or Later You’ll Get Hacked and Hire a CISO