Why the Entire C-Suite is Responsible in a Data Breach
C-suite executives and IT cyber pros not seeing eye to eye on cybersecurity is a common concern, but when crisis strikes this lack of alignment can have potentially catastrophic, business-ending consequences. In fact, IBM’s 2018 “Cost of a Data Breach Study” found the average cost of a data breach is up 6.4 percent globally—about $3.86 million.
While it might ruffle some feathers, the reality is that in today’s digital world, “checking the box” with cybersecurity just doesn’t cut it when it comes to protecting sensitive data, which is why the entire C-suite bears some responsibility in a data breach.
Many companies push the cybersecurity responsibility to the IT team exclusively, but that decision ignores the fact that the entire C-suite is impacted if unprotected data is compromised. If there are any takeaways from the breaches of Target, Sony and Facebook teach any lessons, one key lesson is that the responsibility to customers falls upon the CEO and causes overall distrust in the brand, with a potentially harmful impact on stock prices and current customers.
Still, a new survey conducted by Varonis, a data protection company, found that C-level executives and cyber pros are not on the same page when it comes to the implementation of data breach prevention tactics.
Where’s the Disconnect?
Despite the overwhelming number (91 percent) of IT/cyber pros that believe their organization is making progress when it comes to cybersecurity, only 69 percent of respondents in the C-suite said they were making progress. There even seems to be a disconnect when it comes to which threats are the most concerning.
More than half (53 percent) of C-suite respondents and 48 percent of IT/cyber pros identified data loss as their No. 1 cybersecurity concern, followed by data theft in both cases; however, C-suite executives prioritized protecting employee data over financial data, which was identified by cyber/IT pros, as the third most important type of data.
The Varonis survey found that “there’s more (team)work to be done to ensure both groups are united in fighting the same battle, … [and] security teams and IT pros could benefit from more face time, if not a seat at the executive table.”
Bring More Than Buzzwords
As security teams and IT pros continue to have their voices heard, they need to be able to speak beyond buzzwords. It’s not enough to say that bridging the gap is about people, processes and technology. Instead, the entire C-suite needs to understand their roles and responsibilities in the event of a data breach.
Just as the commanding officer or captain of a ship is ultimately responsible for everything that happens on the ship, the CEO is the answerable authority for issues within the company.
“Being a CEO is the career pinnacle for most people and carries the most responsibility for a reason,” said Mark Weatherford, strategic advisor to the National Cybersecurity Center and SVP and chief cybersecurity strategist at vArmour.
Since various executives in the typical C-suite have resource-related obligations, their role is to seek answers to questions that ensure the IT and security team is creating the appropriate security environment.
“The best way to prevent a breach is to have the right resources, allocated appropriately, to address both tactical and strategic security issues. It doesn’t do any good to have all the right security tools at your disposal if you don’t have the people that know how to use them or the authority to coerce the right kind of organizational compliance,” Weatherford said.
The cyberthreats and the risks that make organizations vulnerable to attack are incredibly dynamic. Without the support from top leadership for an all-encompassing security program that addresses those issues, the security leader is often left in a lose-lose situation for themselves personally and the company more broadly.
Ask Not What the Security Team Can Do For You
Instead, the C-suite should be asking what they can do for the security team. If the CISO has been budgeting for new security resources but continuously has been denied those resources and then suffers a security breach, Weatherford said responsibility should fall above the CISO, who has been trying to do the right thing.
“On the other hand, when a breach occurs as a result of a zero-day exploit or an ‘Act of God” event, it’s pretty hard to hold any particular person responsible. Negligence and arrogance are two key issues that contribute to responsibility.”
Arrogance can hinder one’s ability to see where there is room for improvement, which is why it’s important to leave your ego at the door when it comes to accepting or assigning blame. While there are some leaders who might give their performance an A+ grade, it’s wise not to overinflate one’s performance out of hubris.
Many believe the CISO role is still not given enough organizational gravitas, considering that cybersecurity is now the No. 1 risk concern of most companies. “I’m obviously biased on this issue, but I think that the CISO should be reporting directly to the CEO to eliminate any potential conflicts of interest that might occur due to filtering of the message by other C-suite members,” Weatherford said.
Yet, most CISO’s still report through the CIO, which is an inherently conflicted relationship because the roles are often at odds with each other.
Additionally, companies can explore new avenues of sharing cybersecurity liability. “The cybersecurity environment has become complex and difficult to manage without vast resources. Opportunities to do things like outsource technology and services to companies that are incentivized more appropriately is a significant opportunity to increase the security posture while sharing liability,” Weatherford said.
Growth in the cybersecurity insurance space will also help to defray the cost of security breaches as insurance creates a catalyst for both the underwriters to expect better security, and their customers to raise the bar for a better security posture that buys down their overall risk.
Pingback: Zero-day Threats: Has Detection Become Deception? - Security Boulevard