"Security as a business enabler" was the mantra echoing through Earl's Court Exhibition Hall in London during the recently concluded 2014 Infosecurity Europe conference, a message that should have been heeded by top executives at retailer Target last year (see Did Target's CEO Need to Go?).
"IT security is not just an IT problem, it's actually a business problem, and therefore needs to be treated like every other business problem," Brian Honan, chief executive of the Irish Reporting and Information Security Service (Ireland's computer emergency response team), said in an interview with the conference sponsor.
If there was any remaining doubt, this clearly demonstrates that security is a business issue and must be taken seriously by boards.
That's a lesson Gregg Steinhafel learned too late. If Steinhafel adopted Honan's wisdom, he might still be Target's president, CEO and board chairman, positions he relinquished earlier this week. But because of last year's massive breach as well as other problems Target faced, such as a problematic rollout of stores in Canada, Steinhafel finds himself as a company adviser, not its leader.
Steinhafel's fate should serve as a lesson for other CEOs who see security as a technical problem, one that should be addressed by CIOs and chief information security officers with little involvement from the executive suite.
"If there was any remaining doubt, this clearly demonstrates that security is a business issue and must be taken seriously by boards," says Steve Durbin, global vice president at the Information Security Forum, a not-for-profit industry group that promotes IT security best practices.
A Very Long Tail
"The resignation reinforces what some of us in the industry have been saying for some time, and that is that breaches of this nature have a very long tail, have significant impact not just on reputation - and therefore stock price - but also on customer and board confidence in the leadership of the organization," Durbin says.
CEOs and boards make decisions based on risk all of the time - markets to enter, products to manufacture, investments to make. "So far, some of them have not appreciated the level of risk that might be attached to a cybersecurity event," says Francoise Gilbert, an attorney who advises clients on data security and privacy. "Target CEO's resignation might help CEOs and boards visualize the drastic consequences of a cybersecurity incident and understand that the consequences of a cybersecurity incident may be so significant that it may cause them to lose their position."
Gilbert says it's incumbent on companies to make sure they have at least one board member who's very knowledge about IT and IT security. And IT consultant Beth Perlman says that board member shouldn't be just any tech-adept executive. "The usual technology savvy board member is a CEO of a technology company and not someone that is cyber knowledgeable," says Perlman, who served nearly eight years as CIO and chief administrative officer at the utility holding company Constellation Energy. "I hope that [Steinhafel's departure] is a wakeup call."
Mapping Threats to Risk
Durbin says other organizations should use the Target upheaval to address the shortfalls in their IT security and build a cyber-resilient approach to operating in cyberspace. This includes implementing business continuity and disaster recovery initiatives, business and shareholder communications and regular, honest communications with customers to restore confidence.
"Persuading boards of the need for further investment in security and risk [management] is not a fear, uncertainty and doubt issue - it is about clearly detailing the risk profile that is acceptable to the organization, mapping threats and vulnerabilities to those risks and determining the programs and plans that need to be funded to address any shortfall," Durbin says. "These are business-based decisions, and it is right and proper that the leadership of our businesses are seen to be taking responsibility for these decisions along with bearing the consequences when things go wrong."
Even if CEOs and boards take greater responsibility for their enterprises' IT security, that won't necessarily prevent cyber-attacks. But that's not the point. Security is a business enabler and needs the attention of those who run organizations. As IT security consultant W. Fred Seigneur points out: "Hopefully, CEOs will understand that their job and career depends on ensuring security, and the buck stops here." That's a lesson Gregg Steinhafel learned, but a bit too late.