Equifax became one of the biggest cyber-attacks in history, following the theft of the private data of 143 million people. The way the company handled the breach was put under a microscope and the intense scrutiny eventually led to the resignation of CEO Richard Smith in September 2017, amidst the chaos of the breach.
He wasn’t the first, nor will he be the last casualty. A Gartner analysis of security breaches reported in the news media over a five-year period shows that CEOs are increasingly blamed and punished as a result of cybersecurity-related events — even more so than IT executives. The consequences include dismissal, resignation or loss of significant compensation.
CIOs and CISOs concerned with IT risk need to help CEOs achieve greater defensibility with key stakeholders such as customers, board members, regulators and shareholders. This isn’t about a scare campaign or a wake-up call for executives and the board. Rather, this is a real opportunity for CIOs and CISOs to evaluate how they engage senior non-IT executives when it comes to prioritizing and funding security.
There are a number of reasons why CEOs might be fired following a cyber-attack, but generally these can be split into eight categories. Overcoming these challenges will make an organization’s security program more defensible: not just against the “bad guys” but with key stakeholders, so they are satisfied with the company’s approach to cybersecurity.
Unseen systemic risk - On a daily basis, security preparedness is impacted by the decisions that a business makes. For instance, refusing to shut down a server for proper patching, or choosing to keep working on old hardware and software to save budget. CIOs need to be sure that invisible systemic risk is recognized, reported and discussed in governance processes.
Throwing money at the problem - Throw all the money you want at the problem — you still will not be perfectly protected. Avoid negatively impacting business outcomes by raising ongoing operational costs and potentially damaging the ability of the organization to function.
Cultural divide - While organizations have understood for more than a decade that security is a business problem, they continue to struggle with approaching it as one. Its treatment remains largely a technical problem, handled by technical people and buried in IT, even though it has been presented in the boardroom at least annually for years.
Your security officer is the defender of your organization - Security staff are hired because they are experts. Their most important task is to protect the organization from threats. This isolates the issue because people are put in charge of protecting business outcomes that they do not necessarily understand.
Social pressure - You wouldn’t blame a bank for getting robbed, and the same applies to companies — you can’t blame them for getting hacked. There’s a difference, however. Banks are defensible — most organizations are not. When a headline-grabbing security incident happens, society just wants heads to roll. This is entirely unfair, but it’s the result of decades of treating security as a black box. Society is not going to change until organizations and IT departments start treating and talking about security differently.
Fragmented accountability - Accountability should mean that a decision to accept risk is defensible to key stakeholders. If accountability means that someone will get fired if something goes wrong, no one will engage.
Lack of transparency - We have observed numerous interactions with organizations that have boards and executives who do not want to hear or acknowledge that security is not perfect. Some board presentations are filled with good news about the tremendous progress that has been made in improving security, with little or no discussion about where gaps and opportunities for improvement exist.
Poorly formed risk appetite statements - Too often, organizations create generic high-level statements about their risk appetite. However, these do not support good decision making. Avoid promising to only engage in low-risk activities. This is counter to good business and creates another good reason to fire you if you engage in risky activities.
CIOs can minimize risk and optimize company performance by addressing these factors, which impact executive defensibility following a cybersecurity incident. Importantly, IT and non-IT executives alike must be willing to understand and talk about the realities and limitations of how security works to tackle the challenges.