The theft of private data on 143 million Americans made the Equifax cyberattack one of the biggest in history. The company’s handling of the breach came under intense scrutiny, resulting in CEO Richard Smith resigning in September 2017 amid the turmoil.
It’s a sobering reminder for any CEO of the perils involved with data breaches.
Regulatory trends indicate increasing responsibility for boards and executives in reporting and preventing cyberattacks. While you can’t control if you get attacked, you can control your organization’s readiness to respond and weather the storm.
Gartner has identified seven reasons why more CEOs will be fired over cybersecurity breaches and how they can hold onto their jobs.
No. 1. Accountability is broken
More CEOs will be “held accountable.” Without good risk engagement there’s no accountability – “I just did what the security people told me to do.” Sell your executives on defensibility of decisions, not protection. Strong accountability models, in which risks rest with those that have the authority to address them, ensure that systemic security problems are not allowed to fester.
No. 2. The cultural disconnect
Many boards still believe cybersecurity is a technical problem handled by technical people, buried in IT. By hiring the right people with the right technical knowledge, you can lessen the chance of being attacked and stay out of the headlines.
No. 3. The server that never got patched
While there may be a legitimate business reason, many organizations have a handful of servers that never get patched. Conscious business decisions need to be made regarding what an organization will do, but more importantly, what it won’t do to protect itself.
No. 4. Your security officer is the defender of your organization
Security staff are hired because they’re experts and their job is to protect the organization. This silos the issue, placing people in charge of protecting business outcomes they don’t understand. Engage your executives — this is their risk.
No. 5. Throw money at the problem
You can’t buy your way out — you still won’t be perfectly protected. Avoid negatively impacting business outcomes by raising ongoing operational costs and potentially damaging the ability of the organization to function.
No. 6. Risk tolerance and appetite are fluffy
Organizations create generic high-level statements about their risk appetite that don’t support good decision making. Avoid promising to only engage in low risk activities. This is counter to good business and creates another good reason to fire you if you engage in risky activities.
No. 7. Social pressure
Blaming an organization for getting hacked is like blaming a bank for getting robbed. The difference is that the banks are defensible — most organizations aren’t. The first step to recovery is to admit you have a problem. Your actions reinforce how people perceive the problem.
CEOs need to reset their approach to risk and security to avoid getting fired. The purpose of the security program is to create a balance between the need to protect and the need to run the business.
Authored by Paul Proctor, VP Distinguished Analyst, Gartner