Connect with us

Hi, what are you looking for?


Incident Response

Target CEO Exit Highlights Business Side of Security

Enterprise Board of Directors Room

Enterprise Board of Directors Room

The resignation of Target Corp. CEO Gregg Steinhafel earlier this week indicates a growing awareness among the C-suite and boards that security is intimately intertwined with business strategy and should be viewed as a board-level issue.

“Cyber-security is now a Board and C-level issue, but that wasn’t always the case,” Shawn Henry, CSO of CrowdStrike and president of the company’s services division. “Cybersecurity is no different than any other risk a company faces today.”

Very few CEOs of major companies are familiar with their own security operations, leaving the management and oversight entirely to the IT organization. The lack of visibility means the CEO and other senior executives frequently are not aware of security risks that could significantly impact business goals and operations. However, cyber-threats have become so pervasive and cause such damage to brands that CEOs and board members cannot afford to continue being hands-off.

CEOs need to realize they cannot prevent attacks from occurring, and understand that everyone owns the data and needs to take part in protecting it. They need to learn how to respond during a breach and to effective communicate the situation to customers, partners, shareholders, and employees. Handling security incidents should become just another business process like payroll management.

“The gauntlet has been laid down for all executives that process and store sensitive information that CEOs can no longer pay attention to security only when there is a problem,” said JD Sherry, vice-president of technology and services at Trend Micro.

Indirect Costs of the Breach

It’s important to remember that the CEO did not resign just because Target suffered a data breach. “We don’t fire the CEOs of banks every time a bank gets robbed,” Henry said. There were many factors affecting Target’s performance that led to the resignation, and the fact that Target’s sales, profit and stock price have all suffered in the five months since the breach was first discovered just happened to be one of them.

“Data breaches of this nature have significant impact not just on reputation (and therefore stock price) but also on customer and board confidence in the leadership of the organization,” said Steve Durbin, global vice-president of the Information Security Forum.

Advertisement. Scroll to continue reading.

While organizations are beginning to understand the impact a data breach can have on the brand and customer confidence, there is still a disconnect. Nearly 80 percent of responders in a recent Websense/Ponemon survey (PDF) of 5,000 global IT security practitioners said their company’s leaders did not equate losing confidential data with a potential loss of revenue. A data breach assessment is not just about the number of records stolen, people impacted, or systems damaged. The company has to address consumer confidence and show they are taking steps to learn from the incident and fix the issues.

Understanding the Risks

The Target breach was a “watershed event” for retailers, as it drove home how vulnerable they are, even if they meet compliance rules and invest in security. There have been similar turning points for other industry sectors over the past year-and-a-half, such as the series of disruptive distributed denial-of-service (DDoS) attacks against financial services organizations and the massive case of insider theft in the government sector by ex-NSA contractor Edward Snowden.

“If there was any remaining doubt, this clearly demonstrates that security is a business issue and must be taken seriously by boards,” Durbin said.

In the Websense/Ponemon survey, 48 percent of respondents said board-level executives had “a sub-par understanding” of security issues. While awareness has most likely increased over the past few years, the number is still distressingly high.

Boards of directors and CEOs need to be thinking about security from a business perspective. This includes a comprehensive risk assessment that includes cyber-risks, and the willingness to build a cyber-resilience approach. CEOs need to consider cybersecurity within several contexts, including crisis management, business continuity, disaster recovery, and business and shareholder communication.

Organizations are thinking harder about how they interact with suppliers and customers, Mike Ellis, CEO of ForgeRock said. Security is not just about looking at what employees are doing, or protecting customer data, but also looking at supplier networks and relationships with contractors.

“As business leaders, CEOs need to handle cyber risks just as they would any other risk to the organization,” Henry said.

Getting the House in Order

“Because incidents of major breaches and vulnerabilities seem to be happening more frequently, the expectation is we should ‘figure it out’ as we’ve been on notice for a while,” said Craig Carpenter, chief cybersecurity strategist at AccessData. The problem is that many organizations have been focused on a prevention-only strategy and are just now shifting to a prevent-and-detect strategy, he said.

Organizations have to plan for the unexpected and to have processes in place that allow for timely and effective responses to breaches that go much further than simply getting systems back up and running, Durbin said. Instead of prevention, the focus has to be on detection, investigation, remediation, and resolution. Since these are business-based decisions, “it is right and proper” that the leadership take responsibility for these decisions.

To be effective, “companies will need to have their security house in order in the first place,” Carpenter said.

Related Reading: Sooner or Later You’ll Get Hacked and Hire a CISO

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...