Should a data breach be the kiss of death for the CEO?
The fact that CEOs have tendered their resignations in the aftermath of public breaches is a clear indication that the executive level is being held more accountable for the cyber security practices of their organizations. This is a trend that will likely continue, particularly for companies like Ashely Madison whose business it is to protect their customers’ privacy.
This doesn’t just mean dating websites, but also healthcare and financial institutions, where it is of the utmost importance that data be secured and protected. Losing public trust and confidence, particularly those businesses that rely on customer patronage for their success, will have a significant impact on the future well-being of a company.
When a breach occurs, an initial question is how did it happen and why was it allowed to happen? Where the responsibility ultimately rests will largely be determined by the particulars of a breach.
Judging from recent activity, CEOs have assumed that responsibility and in many cases, including the Ashley Madison breach, this is rightly so. Risk management is a large portion of a CEO’s responsibility and that includes cyber risk management. If they do not have the tools to do so and ignore repeated warnings to put those mechanisms in place, resulting breaches are their responsibility. This may change in the future, but right now, it’s stopping with them.
Since the Target breach, there is an increasing amount of literature indicating that more boards are taking cyber security very seriously and I expect that Ashley Madison’s CEO stepping down will add fuel to that fire.
According to the recent survey, “Defining the Gap: The Cybersecurity Governance Survey,” conducted by the Ponemon Institute and sponsored by Fidelis Cybersecurity, cybersecurity is on the agenda of 65 percent of boards. This is already an improvement over previous years and high-profile breaches resulting in executives stepping down will continue to force this issue onto the agenda of boards and the C-Suite alike.
Company emails reveal that security concerns were raised by staff members multiple times, yet nothing was does to fix these vulnerabilities. This is disappointing. An organization needs to develop cyber security plans and processes in concert with roles and responsibilities of key stakeholders in order to ensure that its cybersecurity risk posture is appropriate to the data it needs to secure and protect and is relevant to the types of threats that organization is likely to face.
Developing such plans and testing them regularly will help identify gaps or areas needed for improvement, which will benefit an organization’s overall cyber security posture.
In this day, any information an organization possesses is of value to someone, whether it be intellectual property, financial information, or personal identifiable information. Organizations need to be able to identify what information is critical to their business operations and develop a cyber security strategy specifically to safeguard that data.
This strategy should be multi-layered. Attackers are determined and have a vast arsenal of attack tools at their disposal. Defenders must be equally determined and leverage advanced defenses in order to maintain the security of their data.
Target demonstrated that breaches are not fatal for a company if it has a contingency plan in place to deal with them, provide transparency, and keep their customers well informed. Today’s cyber reality has demonstrated that all organizations regardless of size or sector are targets for cyber malfeasance.
The challenge for organizations will to be able to show how resilient they are after being affected by a breach. Those that do it quicker and more efficiently due to having a plan in place will be better positioned to bounce back.