Another day, another data breach. On Tuesday, Staples said it was investigating a “potential issue” with its customer’s credit card data. This comes as Kmart stores and Dairy Queens earlier this month reported stolen data, including credit card numbers. Prior to that it was contact information for 76 million households pilfered in an attackon J.P.Morgan’s network, and earlier breaches at Home Depot and Target.
One thing is clear — CEOs need to put security on their strategic agendas alongside revenue growth and other issues given priority in boardrooms.
Unfortunately, outside of the resignation of Target’s CEO and CIO after a hit to their profits, it seems as though its business as usual in corporate America.
The headlines are dramatic and media trumpet the “wake up call” factor, but because there are so many data compromises, relatively little consumer outcry and barely, if any, stock impact, CEOs don’t seem to be making security a priority. It could be “data breach fatigue,” as The Washington Post suggested. Maybe executives consider it part of the cost of doing business online and figure they’ll deal with it when it inevitably happens to them.
It’s likely both, and maybe a feeling that the ecosystem is partly to blame. There’s a short-term mindset and denial of convenience in board rooms. Top executives don’t realize their systems are vulnerable and don’t understand the risks. Sales figures and new products are top of mind; shoring up IT systems aren’t. The connection between data breaches and monetary loss isn’t always clear.
A Ponemon/Websensesurvey found that 80% of the more than 4,000 global respondents say their top executives don’t equate losing confidential data with a potential loss of revenue. That’s despite the fact that the average cost of a data breach is an estimated $640,000, according to the latest figures from Ponemon Institute. Meanwhile, nearly half of the survey respondents said there was a sub-par understanding of security issues at the board level. The disconnect between perception and reality puts organizations at a severe disadvantage to all the bad guys pounding on their networks. Try enough windows and doors and you’re bound to find some that aren’t locked.
Again, the likelihood of a negative event is hard to quantify. But until there is a C-level evangelist at the board level, security will continue to take a back seat to things that are easy to calculate and core to a business model — like profits.
A perfect example is Target (TGT), where the lack of a chief information security officer has been cited as a “root cause” of the breach. Budgets and priorities are set in the board room; strategy is dictated from the top. The culture of security needs to trickle up from the organization’s front lines, where security professionals inside the company are seeing threats firsthand and are challenged to beat the bad guys. This is going to require a serious cultural shift. Until top executives put security on the same agenda as their profit margins and start listening to their security experts there will continue to be big breaches.
CEOs have the power to stop “data breach” from being a trending topic next year. At a minimum, adopt the SANS20 Critical Controls, an industry-developed set of guidelines to help corporations prevent against the most common types of computer attacks, maintain it and exceed it. This list is a good place to start, as is PCI compliance, but it’s a start, not an end. Also, hire a C-level executive that is devoted to security. Call her “Chief Information Security Officer” or “Chief Security Czar” — whatever. The title isn’t important — the dedication to improving security at all levels is.
Finally, ask your CSO if all the really sensitive corporate and customer data is encrypted on all devices employees are using — not just in the office or on the server. If not, ask why.
Let me be clear — no company is immune. However, if you’re not doing at least the minimum, you’re low-hanging fruit for criminals. Just because a breach doesn’t cause catastrophic loss doesn’t mean security shouldn’t be on the boardroom agenda. CEOs need to prioritize security for the right reasons — not because a breach might impact stock prices, but because it’s the right thing to do to protect consumer privacy.
John Hering is Co-founder and Executive Chairman of Lookout, a San Francisco-based mobile security company.