The Inevitability of Security Risk in the Board Room – Steinhafel is dead, long live Steinhafel
Originating from the French proclamations of Charles VII’s ascension to the throne after the death of Charles VI, “The King is dead, long live the King” speaks to the inevitability of succession. It is now not a stretch to think about the inevitability of future CEOs leaving power and ascending to power as a result of cyber breaches.
It has long been the hopeful or aspirational claim from cybersecurity experts and vendors that ‘security is now a boardroom issue’. It was even hopeful and aspirational in 2012 and 2013 as the world began to talk about Advanced Persistent Threats. But hope became reality when the board of directors at Target acted in the wake of its much publicized security breach. Was the breach the only reason that Gregg Steinhafel was removed? Of course not, but make no mistake that the ouster of the CEO had much to do with the breach. It matters not that Target Corp. actually has a comprehensive approach to security and that Steinhafel received kudos for the way he managed the post-breach fall out.
Still not convinced that cybersecurity is in the boardroom? You only have to listen to Target interim CEO, John Mulligan, answering CNN’s question about the role of the data breach in his predecessors departure: "It was a conversation between Gregg and the board."
So how should CEOs prepare themselves now that security threats are a boardroom inevitability to be planned for (in the same way that bad quarters, law suits, and geopolitical impacts are)? Well, first they should prepare themselves for the onslaught of security champions (and the vendors lining up behind those champions!) who will expect them to care about the difference between anomaly detection and heuristics, or the benefits of format preserving encryption over traditional encryption, and other detailed security infrastructure concerns. Can you imagine the FireEye marketing campaign currently being targeted on CEOs and board members?
But this isn’t what the CEO or the board should focus on. Their responsibility is to hire and invest in strong security, risk and compliance teams to deliver on the strategies and tactics that ultimately minimize risk and raise the security bar. Board level discussions around security and risk must mirror the discussions on topics like revenue performance, growth, investment, etc. These discussions are always underpinned by a consistent set of objective, data-driven measurements, over time, that reflect internal performance, benchmarking against a peer-group, competitive comparison and understanding of 3rd party dependencies within the business process.
Now that cybersecurity has, at last, earned its place at the table, it will be exciting to see how technologies and solutions are adopted by this new era of security-minded leaders in order to communicate the business value of a strong security strategy.