A common perspective in most firms is that cyber security is primarily the responsibility of the IT department. If a data breach incident occurred, the spotlight focused on root causes and the technical fixes needed to remedy the matter. Rarely would such an issue have repercussions for any executive team member and, when it did, the senior IT executive was the only one to take the blame and eventually to lose his seat.
That all changed earlier this month when Target’s CEO Gregg Steinhafel, a 35-year employee of the company with the last six at the helm, resigned in light of the recent holiday-season credit-card security breach that affected 40 million customers. While many speculate about the reasons for his sudden departure, Target’s foray into Canada has not been particularly successful as well, it’s likely that the data breach incident provided the additional impetus required for the board to request his resignation. One more clue is given by the news that Target also replaced their CIO with Bob DeRodes, an executive with a very strong background in information security.
This should be a harbinger for CEOs and board members of companies large and small. The cost to Target for the data will be in the billions by most estimates. Even for CEOs who do not report to outside boards, the cost of a significant data breach, particularly if not covered by insurance, could cost them their company.
Another, perhaps even more interesting, perspective highlighted by this article is that COMPLIANT DOES NOT MEAN SECURE. Target, in fact, passed their compliance requirements several months before the breach occurred, but as evidence now clearly shows, they were not secure. Going back in history, perhaps not many readers know that the Titanic was actually compliant with the British board of trade, which required required all boats over 10,000 metric tons to have 16 lifeboats. It didn’t matter how many passengers were on board. Just put 16 lifeboats on. So was the Titanic compliant? Yes. Did compliance avoid a tragedy? No. Read more here.
Companies must ensure they are secure by going beyond the minimum compliance standards. One way of going beyond that would be employing “White hat” penetration testing companies to actually test their security. And also some common sense should be used too (i.e. We have all the firewall, IDS, IPS in place: fine. But are they configured correctly?).
Many times CEOs and their C-level reports are frustrated because of the lack of appropriate training for them to determine, at the executive level, what the real risk to their company is. They don’t want to get into the technical details of what the Heartbleed bug does, for example, but they do want to be able to quantify in their mind what their risk is. With the firing of the Target CEO, that risk is now a personal as well as a corporate risk to members of the executive suite.