Ensuring your senior executive ‘C-Suite’ is on top of the organisation’s cybersecurity strategy is essential for CEOs who wish to keep their jobs.
Against the background of the notifiable data breach and consumer data right laws; customer awareness of how businesses use, abuse and lose their data; and social media activism, CEOs have millions of pairs of eyes scrutinising their cybersecurity missteps.
So failure to spark the right C-Suite conversations and create a ‘cyber-forward’ culture could lead to Australian CEOs following their US counterparts into enforced retirement — or sacked by the board.
Consider the fate of Richard Smith, former CEO of Equifax. Smith fell on his sword within three weeks of the public backlash to Equifax’s 2017 breach that resulted in America’s third-largest US consumer credit reporting agency shelling out $US700 million ($A1.037b) in penalties—the largest US settlement for a data breach.
Criminals stole names, home addresses, phone numbers, dates of birth, social security numbers, driver’s license numbers, and credit card details. Equifax’s share price took two years to recover after it plunged by half on news of the breach. US regulators also required Equifax to submit its IT systems to external auditors for ongoing review.
“The cybersecurity incident has affected millions of consumers* and I have been completely dedicated to making this right,” Smith said in an Equifax announcement of his early retirement. “At this critical juncture, I believe it is in the best interests of the company to have new leadership.”
How not to set yourself up for failure
IT analyst Gartner identifies seven failures of cybersecurity governance and response:
- Line-of-business executives leave servers unpatched
- C-Suite executives see cybersecurity as a technical problem, which they shunt to IT to fix
- Throwing money at cybersecurity raises operational costs with no benefit or improvement
- Unsure of the organisation’s wider mission, cybersecurity managers enforce inappropriate controls that unnecessarily lock down systems
- Accountability systems may silence business managers from speaking up
- Organisations write “fluffy” risk statements that are unrealistic about their tolerance for risk in the real world
- Society blames the victim and organisations scapegoat failure.
So for organisations to straighten their cybersecurity posture, CEOs should nurture a culture where employees and partners will speak out without fear of being blamed or scapegoated, says OBT CEO Shane Muller.
Muller suggests that CEOs use their knowledge of the business and managing risk to spark cybersecurity conversations inside the business. And he advises CEOs to be sensitive to their other demands that may conflict or distract from effective, risk-based responses.
“The head of marketing, HR or operations have a tremendous list of things to get done to address the objectives of the organisation. And they're KPI’d (judged) on that; on marketing outcomes or revenue,” says Muller.
“A CEO asking, ‘How secure is the marketing database?’ or ‘Where's all my HR data?’ is a spanner being thrown at them.
“You gave your executives responsibilities — don’t derail them. Cybersecurity must advance their missions.
“We recommend the CEO keeps front-of-mind the objectives of the head of HR or marketing and facilitate someone [such as] a Chief Information Security Officer (CISO) to help them achieve their objectives in a secure manner.”
Show empathy while emphatic that cybersecurity must improve
But Muller emphasises the most fruitful discussions encourage all sides to open up, be transparent and illuminate shared agendas. And that may mean past sins are absolved.
So a CEO should set the frame of discussion as empathetic and forgiving while making a call for urgent, positive action. That includes going on the front foot to provide fresh resources to address identified cybersecurity issues and being open to such requests.
“Don’t come out with a big stick and don’t get stuck in blame games; these are counterproductive,” says Muller. “And if someone comes to you with a historic, heretofore unknown or unaddressed vulnerability, praise and reward them for their honesty instead of brushing it under a rug.
“Your job may depend on it.”
* Between 143 million to 148 million Equifax customers harmed in the credit rating agency breach. (sources: US Federal Trade Commission, CNBC, EPIC, Gartner)