While companies are finally coming around to hiring CIOs and CISOs as part of their C-Suites, it's looking like a half-hearted move at best: close to half of CISOs recently indicated that their growing responsibilities are vastly outpacing their capacity to address issues.
Burnout is a perpetual factor for CISOs and the technologists and analysts they manage.
Meanwhile, a recent study tracking executive cybersecurity habits found that the c-suite itself is one of the biggest areas of risk, with 93% of CEOs admitting to keeping work on unprotected personal devices, and 59% admitting to downloading non-approved software to company devices and computers. Adding another log to the fire is the recent study finding a severe and fundamental disconnect between the perception of CEOs about the biggest cybersecurity risk to their companies and that of their infotech and infosec leaders: 60% of them assume malware to be their biggest threat in comparison to the 35% of technical officers (CIOs, CTOs, and CISOs) who agree.
Why the disconnect?
If data breaches make daily news and are getting more expensive and hackers are giving CISOs new gray hairs on an almost hourly basis, why does it seem like the rest of the c-suite is partying like it's 1999?
There are a variety of possible factors--the skills shortage in cybersecurity and the ever increasing number of potential attack vectors for hackers both come to mind--but the largest and often overlooked factor comes down to the high stakes of risking a breach itself.
Simply put: the consequences of a breach, even a seemingly apocalyptic one, for a company, its shareholders, and CEO don't even remotely compare to what can happen to those customers and employees whose personal information has been compromised.
The minimal consequences of a data breach
Looking at some of the bigger breaches of the last several years, there's not a strong correlation between the severity of the compromise and the overall net effect. Target's 2013 data breach which exposed roughly 40 million credit and debit accounts ended up costing the company a total of $202 million by their own admission, including legal settlements, litigation fees (as well as offset costs from a cyber-insurance policy held by the company).
If this seems like a significant sum, consider that the company's failed attempt to expand into Canada during the same timeframe cost them $2 billion in comparison, and that the combined effects led to the ouster of then-CEO Gregg Steinhafel with a $61 million severance package. Target experienced a short-term 10% drop in stock price which then more than recovered two months later.
Ditto Home Depot, which announced a $161 million loss in relation to its 2014 breach of 56 million cards and quickly rebounded. Sony CEO Amy Pascal received $40 million for her exit following the massive breach on her watch. Equifax, whose breach was perhaps the broadest in compromised records (147.9 million!), and deepest in terms of the data exposed, reported a 20% increase in revenue from 2016 to 2017, and managed to send ousted CEO Richard Smith packing with as much as $90 million.
The cost to the individual does not need to be illustrated with case studies. When an identity thief successfully taps into the average consumer's financial life, the result is life altering to say the least. The amount of time needed to get things back to normal can impact careers, the problems that arise: all-consuming.
This isn't to say that major and public data breaches don't have any consequences. I certainly don't envy the CEOs of Equifax, Facebook and others who have had to sweat through senate subcommittee hearings, face popular outrage, lose their positions of power, and generally be the butt of jokes and ridicule.
I'd also have a difficult time imagining that any one of the millions of consumers who have to keep a close eye on their credit reports, bank accounts (and Explanation of Benefits Statements issued by their health insurers) and hope for the best as a result of these breaches wouldn't happily and eagerly trade places with them in exchange for a golden parachute. Instead, they're forced to spend the rest of their lives looking over their shoulders.
This is not a rallying cry to get out the torches and sharpen the guillotines - far from it. It is, however, meant to shed some light on a very wide gap between the stakes for consumers and technical officers for companies and the boardrooms and shareholders who--despite many, many examples--are still failing to come up with clear and cogent cybersecurity strategies, or even to prioritize them adequately. The disconnect will persist as long as legislation in the U.S. fails to ensure widespread compliance with cybersecurity basics.
No matter how many times I invoke Peter Drucker's line that "culture eats strategy for breakfast," until the expenses of litigation, regulatory interaction, lost business and diminished stock prices come anywhere close to the financial and emotional tumult caused by a destroyed credit history, drained bank account, stolen identity, or worse, the status quo will be more of the "trouble runs downhill" variety.