The theft of private data on 143 million Americans made the Equifax cyberattack one of the biggest in history. The company’s handling of the breach came under intense scrutiny, resulting in the resignation of CEO Richard Smith in September 2017 amid the turmoil.
He was not the first or the last casualty. A Gartner analysis of security breaches reported in news media over a five-year period shows that CEOs are increasingly blamed and punished as a result of cybersecurity-related events — even more so than IT executives. The consequences include dismissal, resignation or loss of significant compensation.
CIOs and CISOs concerned with IT risk must help CEOs achieve greater defensibility with key stakeholders such as customers, board members, regulators and shareholders. This is not about a scare campaign or a wake-up call for executives and the board. This is a real opportunity for CIOs and CISOs to rethink how they engage senior non-IT executives to prioritise and fund security.
Gartner has identified eight reasons why more CEOs will be fired over cybersecurity breaches. Addressing them will make a security program more defensible, not against bad guys but with key stakeholders, so they are satisfied with the organisation’s security approach.
#1 Invisible risks
Businesses make decisions every day that negatively impact their security readiness, for example, refusing to shut down a server for proper patching, or choosing to keep working on old hardware and software to save budget. CIOs need to be sure that invisible systemic risk is recognised, reported and discussed in governance processes.
#2 Cultural disconnect
While organisations have understood for more than a decade that security is a business problem, they continue to struggle with approaching it as one. Its treatment remains largely a technical problem, handled by technical people and buried in IT, even though it has been presented in the boardroom at least annually for years.
#3 Throwing money
You cannot buy your way out, and you still will not be perfectly protected. Avoid negatively impacting business outcomes by raising ongoing operational costs and potentially damaging the ability of the organisation to function.
#4 The defender
Security staff are hired because they are experts and their job is to protect the organisation. This silos the issue, placing people in charge of protecting business outcomes they do not understand.
#5 Hire to fire
Accountability means that a decision to accept risk is defensible to key stakeholders. If accountability means that someone will get fired if something goes wrong, no one will engage.
#6 Poor risk statements
Organisations create generic high-level statements about their risk appetite that do not support good decision making. Avoid promising to only engage in low-risk activities. This is counter to good business and creates another good reason to fire you if you engage in risky activities.
#7 Rob the bank
Blaming an organisation for getting hacked is like blaming a bank for getting robbed. The difference is that the banks are defensible — most organisations are not. When a headline-grabbing security incident happens, society just wants heads to roll. While this is not fair, it is the result of decades of treating security as a black box. Society is not going to change until organisations and IT departments start treating and talking about security differently.
#8 How transparent?
One can witness countless interactions with organisations that have boards and executives who do not want to hear or acknowledge that security is not perfect. Some board presentations are filled with good news about the tremendous progress that has been made in improving security, with little or no discussion about where gaps and opportunities for improvement exist.
IT and non-IT executives alike must be willing to understand and talk about the realities and limitations of how security works, to tackle the challenges.
- IT and non-IT executives must be willing to understand about the realities and limitations of how security works.
- Blaming an organisation for getting hacked is like blaming a bank for getting robbed.
- When a headline-grabbing security incident happens, society wants heads to roll.
- Society is not going to change until organisations start talking about security differently.
- Avoid promising to only engage in low-risk activities.
- Security staff are hired because their job is to protect the organisation.
- Avoid impacting business by raising operational costs and damaging ability of the organisation to function.
- Businesses make decisions every day that negatively impact their security readiness
- While organisations have understood security is a business problem, they continue to struggle with approaching it as one.
An organisation’s security is a combination of process legacy and myopia, for which the CEO alone is not responsible, explains Paul Proctor at Gartner.