Is your company’s board of directors and executives taking Cybersecurity as seriously as it should? According to the head of the UK’s National Crime Security Center (NCSC), they’re not. And the results will most certainly be disastrous for your company. In an article published in ZDNet, Lindy Cameron, CEO of the NCSC said cybersecurity should be “viewed with the same importance to CEOs as finance, legal or any other vital day-to-day part of the enterprise.” But the truth is that while CEOs meet with Finance and Operations heads regularly, they meet with their Chief Information Security Officer (CISO) far less frequently.
It’s the focus on cybersecurity that is the important part of Cameron’s message. In the ZDNet article, she cites a case about “organisations which have walked in on Monday mornings to find they can't turn on their computers or phones, the backup plan was not printed out so they couldn't find a phone number."
The Chief Information Security Officer Role
The very first CISO was Stephen Katz of CitiCorp back in 1994. The post was created shortly after several cyber attacks on the banking company by Russian hackers. In a 2018 interview with CNBC, Katz delineated the responsibilities of a CISO (paraphrased here).
- Security Operations, including threat analysis, installing and monitoring security tools and entry points, and triage and reaction during and after attacks.
- Cyber Risk and Cyber Intelligence, to get ahead of new types of attacks that could threaten the organization.
- Data Loss and Fraud Prevention, including monitoring the flow of information through and out of the company.
- Security Architecture, designing the security infrastructure to help prevent attacks, breaches and data loss.
- Identity and Access Management, who has access to what resources, and how is that access protected and monitored.
- Program Management, to help identify and strengthen security weaknesses, including patch management.
- Investigation and Forensics, in case something goes wrong. Think “CSI” for your IT infrastructure.
- Governance, which involves ensuring there is an adequate budget for security efforts, keeping up to date on the many changing rules and standards, and advocating for security throughout the organization.
CEOs Who Don’t Take Cybersecurity Seriously Can Suffer
In a report based on the 2019 Fortune 500 Companies, Bitglass found that 38% of companies had no CISO role. Of the 62% that do have CISOs, only 4% of them were not included among the company’s Executive Team, adding weight to Cameron’s remarks.
As you might expect a company suffers substantially as a result of a breach. Bitglass studied public companies who were breached and “found that these breaches have cost companies an average of $347 million in legal fees, penalties, remediation costs, and other expenses and a 7.5% decrease in stock price.”
In short, companies that wish to stay in business -- and CEOs who want to continue to lead those businesses -- need to work hard to protect the business. And it’s often the CEO who suffers when too little effort is put into cybersecurity.
- Target: In 2014, Target’s CEO, Gregg Steinhafel, was forced to resign after a well known data breach that affected 40 million customers.
- Equifax: The credit reporting company suffered a data breach involving 140 million people. Shortly afterwards, the CEO Richard Smith was asked to resign.
- Avid Life Media, parent company of Ashley Madison, suffered a well publicized data breach, after which CEO Noel Biderman was forced to resign.
- Yahoo suffered a very well known data breach, which resulted in the company’s CEO, Marissa Mayer, forfeiting her annual $2 million bonus and stock awards worth much more.
- Home Depot’s CEO Frank Blake conveniently retired just before the company’s breach was disclosed.
And the damage to CEOs is not likely to end with losing their job. A ZDNet net article about a Gartner Group study reports that security “incidents will pierce the corporate veil to personal liability for 75% of CEOs,” which means they will be held personally responsible for data security incidents.
Speaking about the Equifax case, Senator Elizabeth Warren said that Smith’s resignation was not enough, and that “It's not real accountability if the CEO resigns without giving back a nickel in pay and without publicly answering questions.”
Does Your Organization Take Cybersecurity Seriously?
Smaller companies may consider themselves too small for a CISO, but that doesn’t mean they should abandon the role altogether. Outsourcing cybersecurity to a reputable company may be more appropriate, so long as the priority to keep the company’s data secure is on part with keeping the company’s books in balance. If you don’t have the staff, the knowledge or the budget for your own CISO, let’s talk. Digital Uppercut provides cybersecurity services at the executive level for companies like yours. Contact us online or call us at 818-913-1335.