Consider the reality of a cyber breach. The board of a company hears about the most recent highly publicized breach and asks the CISO about it. The CISO is reassuring (“I’ve got this”), indicating that all the latest edge protection, intrusion detection, and other technologies are in place. Guess what? If you asked the Equifax CISO two weeks ago, you’d have heard the same thing. And Equifax’s problem isn’t with the CISO. Equifax’s problem is the leadership and cyber culture of the company.
Many organizations employ good technology, just like Equifax, and yet their business can be just as exposed as Equifax was exposed. Equifax has already lost nearly $7 billion of its market value. It’s likely to lose a big part of its business and it remains to be seen, but we may even see a significant portion of the economy impacted.
A deep moat and double walls don’t make up for internal fire protection!
If your organization were breached, you could have had that all covered. You could have had the proper people, processes, and policies in place, and been able to show proper governance to avoid liability for third-party suits. But now it’s too late. Two weeks ago, your CISO said, “I don’t want to give the board another tool so they can beat me up about security. I’ve got this!” And billions in value vanished because he didn’t actually “have it!”
The lack of top-down governance over the entire company is the problem – it’s not inadequate endpoint protection, it’s not a deeper moat/higher wall problem. Of course, you need to control endpoints and intrusions every day, but they represent only about 20% of the exposure. We are faced with a governance risk issue, and CISO’s aren’t responsible for governance – boards and CEOs are. The CISO may have his or her feet held to the fire – but the board and the executive team ultimately hold the risk and responsibility.
This Equifax breach may – may – light a fire under boards to put cybergovernance in place. If boards don’t put governance practices in place, the government will. Then we will live under the cyber equivalent of Sarbanes-Oxley. We’re sure that private enterprises could do a better job without government interference – if they would just take care of business and make cyber risk part of their culture and practice.
The ultimate goal is getting people to change their behavior. It’s about the board telling the C suite, “You get me governance, and you get this solved, and don’t bring in these technology guys to tell me about endpoint solutions, threats thwarted, and broken routers – I don’t want to hear that – I want to hear about your governance program!” Everything the CISO is doing is important of course, but there’s so much more that can and should be done that’s necessary to protect the organization. We can no longer be dependent on one person saying, “I’ve got it,” because that just doesn’t work anymore.
Cyber risk governance must be integrated into the organization. It must become part of the culture. It must become everyone’s problem. It should be embedded into operations. It’s not something held out there on the side – it’s not a “plug in” – but something that is integrated into the body itself. Getting people to change is difficult. The Equifax breach is probably the tipping point for change – big change. If change doesn’t occur, we believe not only are TransUnion and Experian at risk, but so is General Electric, Dick’s Sporting Goods, Chevron, Amazon, and…well the list goes on and on. No company is immune from this problem.
We are now facing a moral imperative based on the ethics and morality involved in decision-making about cybersecurity investments. It applies to any and all of us who make money from handling other people’s public data. How do you currently decide how much to spend on securing that data? Are you making decisions based on your bottom line, or are you making them based on being ethically responsible for holding someone else’s precious data that, if exposed, might destroy their life? Interesting dilemma.
In a recent article by Thomas Lee, he cites Malcolm Harkins of Cylance as suggesting that, when companies design new products and services, they should carefully consider the risk to consumer safety and privacy. Incorporating cybersecurity into a company’s ethical framework is necessary to ensure that consumers are protected. “We are focusing on the wrong things…[c]ompanies and boards should act on behalf of shareholders and society.”
You can describe the damage to an Equifax victim in dollars, maybe, but you can’t weigh in the unethical, immoral behavior of Equifax in putting these people in danger. You cannot explain that away. That’s not worth an annual credit report status. That’s not worth $10, $100, $1000 – it’s simply unethical and immoral.
America deserves better. The American consumer deserves better. Our economy deserves better. It’s a failure of epic proportions. The main risks are inside the walls. We need better governance of cyber risk at the top level of the company. To be clear, that’s the CEO and the board. What will it take for the big change? What damage will it take before CEOs put cyber culture at the forefront of their responsibilities? Will we change, or is it going to take a cyber Sarbanes-Oxley to get our attention?