Brakes and Breaches: Why the Board Treats Them the Same

Written by

Recently, Yahoo’s Board realized that a security breach isn’t that much different from a faulty brake system. Both pose a safety/security risk to the end consumer, and to the business. Now, a precedent exists to fire, or significantly cut the compensation of, the chief executives in charge of either brake failures or security breaches.

Yahoo announced that CEO Marissa Mayer will be taking a pay cut after an independent investigation revealed that company leadership failed to “properly comprehend or investigate” the security breach in 2014. This particular breach resulted in the compromise of 500M users’ accounts.

Unfortunately, this was only one of several security breaches at Yahoo, all resulting in billions of personal records stolen and a $350M discount on Verizon’s acquisition price.

The security cost to Marissa Mayer is $14M, almost half of her expected 2016 compensation. Mayer’s 2016 bonus ($2M) and 2017 equity awards ($12M) will amount to ~40% of her 2015 pay package ($36M). This is not dissimilar from Toyota’s chief exec lowering his annual compensation to ~50% after the 2010 recalls, or Takata cutting their chief exec’s pay by > 50% after the discovery of their faulty air bags.

It is not often that we see a chief executive get publicly reprimanded or shown the door for a security breach. Before Mayer, the best example would be Target’s pushing out their CEO in the wake of their 2013 breach.

In part, the limited track record of executives being penalised for security failures is cultural – security has long been siloed as an “IT issue.” But this is also due to the underlying challenge of trying to estimate the business impact of the breach. Accounting for legal and investigative fees is fairly straightforward, but what is the long-term impact to the brand, customer loyalty, and the bottom line?

As businesses refine their models of breaches’ business impact, industry experts are weighing in with cost estimates as high as billions of dollars for a breach, such as Sony’s. These estimates far exceed traditional estimates that incorrectly relied on black market rates for stolen records as the benchmark for impact to business value.

With such a painful potential impact, a breach is truly a major business issue, similar to an auto recall due to faulty brakes. In order to beat the bad guys, we are going to have to put some skin in the game. Here are some ideas on a framework for security accountability at the executive level:

Financial disincentives are a start. The EU has established a policy framework that holds businesses accountable for security. Under the General Data Protection Regulation (GDPR), any company handling EU personal information will be fined either 4% of global turnover or 20M Euros, whichever is greater, if they are breached. This policy brings the business impact of a breach front and center, forcing business executives to get a firm grasp on their security programs in order to mitigate their risk.

A carrot to accompany the stick also helps. Bonuses are awarded for financial performance, why not for product security as well? By making brands synonymous with security and trust, and reducing the risk of downtime or product failure, a company enhances the value it provides to customers and enables the business.

Responsibility throughout the organization. Carrot-and-stick security should not sit only on the shoulders of a few. While pressure on the chief executive helps, security should be integrated throughout the organization, starting with product development. Security cannot be an afterthought – it must be baked in early (and often) to avoid putting security teams on the defensive.

Ultimately, the onus is really on the security industry and security practitioners to educate the C-suite and board level, as well as product managers and asset owners, about the importance of security.

The issue has remained siloed in the IT department too long, and it’s up to the experts to engage with the c-level and board to share why security matters, what the impact is on the business, and what can be done to minimize risk.

If done the right way, security should actually enable the business by making products that consumers trust and love.

What’s hot on Infosecurity Magazine?