Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Target CEO Exit Highlights Business Side of Security

Enterprise Board of Directors Room

Enterprise Board of Directors Room

The resignation of Target Corp. CEO Gregg Steinhafel earlier this week indicates a growing awareness among the C-suite and boards that security is intimately intertwined with business strategy and should be viewed as a board-level issue.

“Cyber-security is now a Board and C-level issue, but that wasn’t always the case,” Shawn Henry, CSO of CrowdStrike and president of the company’s services division. “Cybersecurity is no different than any other risk a company faces today.”

Very few CEOs of major companies are familiar with their own security operations, leaving the management and oversight entirely to the IT organization. The lack of visibility means the CEO and other senior executives frequently are not aware of security risks that could significantly impact business goals and operations. However, cyber-threats have become so pervasive and cause such damage to brands that CEOs and board members cannot afford to continue being hands-off.

CEOs need to realize they cannot prevent attacks from occurring, and understand that everyone owns the data and needs to take part in protecting it. They need to learn how to respond during a breach and to effective communicate the situation to customers, partners, shareholders, and employees. Handling security incidents should become just another business process like payroll management.

“The gauntlet has been laid down for all executives that process and store sensitive information that CEOs can no longer pay attention to security only when there is a problem,” said JD Sherry, vice-president of technology and services at Trend Micro.

Indirect Costs of the Breach

It’s important to remember that the CEO did not resign just because Target suffered a data breach. “We don’t fire the CEOs of banks every time a bank gets robbed,” Henry said. There were many factors affecting Target’s performance that led to the resignation, and the fact that Target’s sales, profit and stock price have all suffered in the five months since the breach was first discovered just happened to be one of them.

“Data breaches of this nature have significant impact not just on reputation (and therefore stock price) but also on customer and board confidence in the leadership of the organization,” said Steve Durbin, global vice-president of the Information Security Forum.

While organizations are beginning to understand the impact a data breach can have on the brand and customer confidence, there is still a disconnect. Nearly 80 percent of responders in a recent Websense/Ponemon survey (PDF) of 5,000 global IT security practitioners said their company’s leaders did not equate losing confidential data with a potential loss of revenue. A data breach assessment is not just about the number of records stolen, people impacted, or systems damaged. The company has to address consumer confidence and show they are taking steps to learn from the incident and fix the issues.

Understanding the Risks

The Target breach was a “watershed event” for retailers, as it drove home how vulnerable they are, even if they meet compliance rules and invest in security. There have been similar turning points for other industry sectors over the past year-and-a-half, such as the series of disruptive distributed denial-of-service (DDoS) attacks against financial services organizations and the massive case of insider theft in the government sector by ex-NSA contractor Edward Snowden.

“If there was any remaining doubt, this clearly demonstrates that security is a business issue and must be taken seriously by boards,” Durbin said.

In the Websense/Ponemon survey, 48 percent of respondents said board-level executives had “a sub-par understanding” of security issues. While awareness has most likely increased over the past few years, the number is still distressingly high.

Boards of directors and CEOs need to be thinking about security from a business perspective. This includes a comprehensive risk assessment that includes cyber-risks, and the willingness to build a cyber-resilience approach. CEOs need to consider cybersecurity within several contexts, including crisis management, business continuity, disaster recovery, and business and shareholder communication.

Organizations are thinking harder about how they interact with suppliers and customers, Mike Ellis, CEO of ForgeRock said. Security is not just about looking at what employees are doing, or protecting customer data, but also looking at supplier networks and relationships with contractors.

“As business leaders, CEOs need to handle cyber risks just as they would any other risk to the organization,” Henry said.

Getting the House in Order

“Because incidents of major breaches and vulnerabilities seem to be happening more frequently, the expectation is we should ‘figure it out’ as we’ve been on notice for a while,” said Craig Carpenter, chief cybersecurity strategist at AccessData. The problem is that many organizations have been focused on a prevention-only strategy and are just now shifting to a prevent-and-detect strategy, he said.

Organizations have to plan for the unexpected and to have processes in place that allow for timely and effective responses to breaches that go much further than simply getting systems back up and running, Durbin said. Instead of prevention, the focus has to be on detection, investigation, remediation, and resolution. Since these are business-based decisions, “it is right and proper” that the leadership take responsibility for these decisions.

To be effective, “companies will need to have their security house in order in the first place,” Carpenter said.

Related Reading: Sooner or Later You’ll Get Hacked and Hire a CISO

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.