[BreachExchange] Eight reasons more CEOs will be fired over cybersecurity breaches

[Destry Winant]

https://www.techrepublic.com/article/eight-reasons-more-ceos-will-be-fired-over-cybersecurity-breaches/

In September 2017, Equifax admitted it had been hacked. The breach of
sensitive information affected 145.5 million people, with those behind
the hack accessing user data including tax identification numbers,
Social Security numbers, birth dates, addresses, driver's licence
numbers, and credit card information.

Equifax chairman and chief executive Richard Smith stepped downfrom
the embattled credit rating agency days after the breach was admitted.
Facing a US House Committee a month later, Smith accepted
responsibility for the breach, saying "I was ultimately responsible
for what happened on my watch".

Speaking at the Gartner Symposium/ITXpo on the Gold Coast in Australia
last month, Gartner VP Paul Proctor said the former CEO set a
precedent when he left. Proctor expects it will be a trend likely to
continue as more breaches emerge.

Here are eight reasons why.

That server that never gets patched

"Another way to say this is: Invisible systemic risk," Proctor explained.

It's the idea that an important process demands a system stay online
at all times because it supports core business functions.

"The problem with this is, is that there is a business executive that
is making that call—it's not security people—those people don't really
have an understanding of the security," Proctor said.

"This is happening across the organisation from systems not being
patched to security being gotten around by the people inside the
organisation. Security people might know about this, but the problem
is it's invisible because you're not telling anybody about this
properly."

The cultural disconnect

The cultural disconnect can best be described as treating security
purely as a technical problem handled by technical people and as a
result buried in IT.

"They treat you like wizards. They give you some money, you cast some
spells, the organisation is protected, and if something goes wrong,
you must be to blame," Proctor said.

"Why has no IT executive ever asked you to build a secure system?
Because what idiot would build an insecure system? The problem is that
if we told them that building a secure system cost twice the budget
and would extend the schedule by twice as much—we don't tell them
about that and they don't pay attention to that."

He said it's a shame that too often security folk would approach an
average non-IT executive, telling them there was a problem with
patching and they would be dismissed and have their ability questioned
by asking why it isn't fixed.

"All of this cultural disconnect leads to poor investment decisions,
poor priorities ... and this also leads to the idea of: 'Well, I
trusted the security people to get this right'," he added.

Throwing money at the problem

"It is actually possible to overprotect the organisation," he said.

"I would say [overspending leads to] inappropriate investment
decisions, because it's not always about spending too little,
sometimes it's about spending too much in the wrong areas."

The outdated approach boards had of doubling or tripling investment
and pushing security to the back of their minds is no longer
acceptable.

"The truth is you're not going to be perfectly protected if you do
that, what you are going to start doing is damage the ability of the
organisation to function," Proctor explained. "Basically for a CEO,
spending a bunch of money to impact negatively on your business
operations and your business outcomes is not the winning formula."

Your security officer is the defender of the organisation

"I have been a security person for 30 years, so I can say this:
Security people can be annoying—they're the 'no' people, they walk in
and they say: 'Look, I was brought in to protect the organisation so
no, you can't do that'," Proctor said.

"The first line in most security charters is the purpose of this
charter is to protect the organisation from all types of threats etc.,
etc., so what this does is engender a lot of telling people what they
can do and what they can't do and that has never worked in the history
of organisations and yet it creates an awful lot of problems."

Putting security people in charge of protecting business outcomes they
don't understand yet still telling people what to do is not
appropriate.

Accountability is broken

According to Proctor, giving executives a risk acceptance form is
basically a get out of jail free card.

"Everybody has some sort of form that they tell executives to
sign—they don't care ... just tell me where to sign," he said.

Sharing an anecdote of an executive from a bank in Canada not wanting
to apply 2FA to a customer-facing application because it would ruin
the customer experience, Proctor said it's tricky to appropriately
delegate accountability.

"That person almost certainly has the authority to stop that.
Ironically, it's probably the right business decision," he said. "The
problem is that person only owns the customer experience, they own
nothing to do with the security of the organisation, so their decision
is made with that perspective—no accountability for it."

Risk tolerance and appetite are fluffy

Proctor said because accountability is broken, organisations end up
with similar inconsiderate engagements of risk.

"Everybody is creating risk appetite statements and they all tend to
say: 'Yeah we'll do risk around here'," he said.

This is usually seen within an organisation when someone approaches
the board with a great idea for an app, with a short go-live time, and
the board wants it to happen as soon as possible.

"This idea that we're going to walk around and say we only accept low
risk and then engage in activities that are actually pretty risky,"
Proctor said.

Society

"Society, when they see these breaches ... society just wants heads to
roll," Proctor said.

He said it's contradictory to accept the physical security steps in
place at a branch, but treat the online realm differently.

"When a bank gets robbed, society understands that for a bank to
operate it has to have big glass doors that open wide and they have to
have people ... have huge sums of cash on hand—society understands
that occasionally someone with a gun is going to say: 'Fill a bag with
money'," he explained.

"Society is okay with that because we exhibit sympathy for the people
at the bank. Cybersecurity not so much.

"The first question that arises when cybersecurity has a problem is
somebody screwed up. This is because we treat cybersecurity like a
black box and until we change the conversation, until we start talking
about the fact that to use data we actually have to make it open and
that leads to problems sometimes nothing is going to change."

Transparency

"Many organisations don't want to be transparent about these things,
they want to hide them, put it in the legal department so it's under
attorney-client privilege," Proctor explained, noting also that means
no disclosure externally and potentially internally is required.

"This is a pretty huge reason that we end up with poor decisions about
priorities and levels of investment."

The CEO is responsible for everything that goes on within an
organisation, so if any of the eight reasons Proctor listed occur
within an organisation, and a breach ensues, the CEO should be asked
to leave.