C-Suite in the Hot Seat – Execs’ Responsibility Regarding Digital Security

Posted by John DiLullo SEP 10, 2019 ON

Are you killing your numbers? Crushing your targets? Growing your team? Leading with authenticity and building a loyal following? What a shame it is that your tenure may already be over.

While you were busy winning and shredding the competition, a cybercriminal breached your network. Don’t be too embarrassed, it happens to almost everyone these days. The average “dwell time” of an intruder is more than 100 days, so it’s hard to know exactly when that bucket of ice water was tossed on your dreams. Unfortunately, even if you’re doing everything right, recent examples illustrate that our jobs are on the line when hackers come a-knockin’.

Very few of you reading this are in the cybersecurity industry and you may simply view network security as something relegated to the IT department. Maybe you see IT security as a nuisance or as a chore or as a cost center. Maybe you take a more cynical view and feel that the threat is imaginary just like that fake landing on the moon back in the ‘60s. Or perhaps you play along and give the children what they want allowing “Christmas to come early” for the geeks, with loads of expensive new toys under the tree.

Time to wake up and smell the coffee! Security has reached a crisis and we’ve got to solve this problem as an industry or face a dystopian future worse than anything envisioned in the Planet of the Apes or Terminator II! Security is becoming everyone’s job; especially executives’ jobs. If we can’t keep our enterprises secure, we’re only doing a disservice to our shareholders, our employees, our customers, and, yes, even our precious careers.

If Only There Weren’t So Many Examples

Back in September of 2017, then-Equifax CEO Richard Smith resigned from the credit reporting agency amid backlash for a data breach that compromised the sensitive personal information of 143 million Americans. Smith said that he decided to step down out of the belief that “it [was] in the best interests of the company to have new leadership to move the company forward,” as quoted in a statement shared with NBC News. In so doing, he forfeited his estimated $3 million bonus for 2017 and left without severance. Ouch!

No executive wants to find themselves in the immediate aftermath of a data breach. It’s a tough spot for boards and a tough spot for anyone in management, especially when the public well-being is compromised. Of course, Smith isn’t the only one who’s ever left in the wake of a security incident. Similar transitions occurred at Target, Sony Pictures Entertainment and Uber following high-profile data breaches at these companies.

Resignations are Just the Beginning

As we all know, being asked to pack your desk is just one possible consequence of a data breach. However, by no means do the outcomes of a security incident usually end there. More often, turnover at the top of these organizations is just the beginning for an organization victimized by a successful attacker.

Months after an executive resigns, organizations that suffered a data breach tend to report lost revenue. That’s exactly what happened in the case of Target and Equifax. According to the New York Post, the former reported a profit drop of $440 million for its fiscal fourth quarter in 2013 as a result of a data breach. Meanwhile, the latter recorded $87.5 million worth of expenses within just two months of its 2017 security incident. The credit reporting agency estimated at the time that it could face an addition $110 million in future costs associated with the breach, as reported by Reuters.

These financial costs not only hurt executives, they divert money from other crucial areas of business. For instance, CFO found that organizations usually pay lower dividends and invest less in research and development over the first five years that directly follow a data breach. As a result, victim organizations lose their competitive advantage, thereby weakening their future business prospects.

And these aren’t the only ways that a data breach can undermine an organization’s competitive edge. Digital criminals are after organizations’ proprietary information, including their customer lists, IP, and trade secrets. If bad actors gain access to this information, they can monetize it on the dark web or sell the information to a competitor or foreign government. And who want’s their IP for sale to the highest bidder?

Putting the Consequences into Perspective

I’d be remiss if I didn’t qualify the above. In reality, many of the consequences of a data breach discussed in the previous section are short-lived. Harvard Business Review found that the stock prices in the Home Depot, Target, Sears, and JP Morgan Chase all rebounded soon after an initial dip that immediately followed their announcement of a data breach. Additionally, those executives who decide to weather the public backlash associated with a security incident often enjoy a pay raise. This phenomenon reflects organizations’ desire to keep their leadership so that their executives may provide a sense of stability through a data breach and fix structural issues in the company itself, Help Net Security reported.

That Was Then…This is Now

All of this could change amid the surge of data protection frameworks, however. The evidence is in the fines that organizations could pay, and have already started to pay, as a result of a data breach. More specifically, we all know that the European Union’s General Data Protection Regulation (GDPR, which the UK has also adopted) comes with penalties of four percent of annual revenue for the previous fiscal year or 20 million euros, whichever is higher. That’s a hefty price tag for any organization that might suffer a data breach in the coming years.

A few organizations have already incurred serious monetary penalties after falling victim to a security incident. In January 2019, for instance, France’s data protection agency known as the “Commission nationale de l’informatique et des libertés” issued a 50 million euro fine to Google for the tech giant’s apparent violations of GDPR. A month later, the Washington Post reported how Facebook was in talks with the U.S. Federal Trade Commission over a possible “multi-billion dollar fine” for its alleged failure to improve its platform’s privacy. Such a fine, as TechCrunch noted in its own coverage, could be “one of the only ways to punish a company so wealthy that paying out millions would be little more than a passing annoyance.”

Too Loud a Message to Ignore

Beyond the risk of losing our jobs in the event of a data breach, we have a larger responsibility to all of our employees, shareholders, customers, and partners to safeguard their interests and information.

The only way we can fulfill this duty is by taking our organization’s digital security seriously. That effort begins with realizing the true threat we face – from sophisticated, organized cyber gangs who have tremendous resources and expertise. Security is not a “set it and forget it” practice, but an exercise in constantly reviewing security strategies and investing in people and new technologies. It requires everything from ongoing security awareness programs for employees and basic security controls like patch management to the newest, most innovative network security solutions needed to detect advanced threats that have demonstrated their ability to evade detection by conventional security tools.

I have the benefit of working in security, so I see every day how talented and persistent the bad guys really are. And it keeps me up at night. I encourage you to make security a priority, for your customers, your employees, and your company. As you’ve probably realized, just like the efforts one puts into building their career, the work in security is never done. Stick with it! Your success and your ability to continue beating your numbers and shredding the competition depend on it!