Original article published in French on Benoit Grenier’s blog
For the past several years, I have heard of or been involved in a growing number of events which have been, or could have been, catastrophic for the organizations involved. Examples would be: a natural resources company, which fell victim to a group of ecological activists (Hacktivist); a very large non-unionized company which suffered computer attacks aimed to collect the names and addresses of employees to help in a plan to organize the company (Crackers); a food manufacturer whose competitor attempted to discredit by propagating Facebook videos purporting to illustrate that foreign bodies were found in its products (Spy Hackers); a non-profit organization which discovered, by accident, that its servers were being used by a foreign terrorist organizations (Cyber Terrorists); or most recently, that a foreign State interfered in the presidential elections of another country (State-Sponsored Hackers). Not to mention the unprecedented wave of digital extortion and demands for ransom (Ransomware) which a number of organizations have been subjected to. Threats to computer systems and social media platforms are increasing, are increasingly innovative and can seriously affect the financial results, the image, the growth and even the survival of businesses and organizations.
Moreover, as can be read in a news report of CBS News:
More than 80 percent of U.S. companies have been successfully hacked, according to a Duke University/CFO Magazine Global Business Outlook Survey released on Friday.
(…)
“Corporate America is an easy mark for hackers as we are repeatedly reminded in the news,” John Graham, director of the survey and a professor at Duke University’s Fuqua School of Business, said in a statement. “However, it is not just big firms like Target that are being hit – 85 percent of smaller firms are also under siege. No one appears safe. The situation may even be worse than reported because many firms might not even realize that they have been attacked.” http://www.cbsnews.com/news/percentage-of-companies-that-report-systems-hacked/
But good, generally it will be the CIO (Chief Information Officer) who will take the blame and who will be dismissed if it is demonstrated that an attack succeeded because of a lack of preparation rather than a fortuitous event. It is this which is reassuring for the CEO. After all, did he not surround himself with professionals who are responsible for their fields of expertise? No doubt that is what the CEO of Target said who had to resign after the theft of credit card data from 40 million of their clients.
In the past, some took the view that it was cheaper to pay to clean up the mess after a breach than to invest heavily in trying to prevent it. Remediation, however, is no longer a viable strategy. The leaks of customer data from Target Corporation will cost the company more than $500 million simply to replace credit cards. Meanwhile, customers and small banks have filed 68 class action lawsuits, in more than 20 states, alleging that Target did not take proper steps to protect consumer data. Because the breach occurred early in the holiday shopping season, Target’s net income for the fourth quarter of 2013 fell by 46 per cent. The long-term impact on the retailer’s brand is as yet unclear.
The problems of communication between CEO and CIO
One of the most important solutions to the problems of cybercrimes which affect organizations is for there to be a healthy dialog between the CEO and the CIO, and then with the rest of the employees. However, most of the time, they do not speak the same language. They do not have the same objectives and do not assess the risks in the same way. This difficult dialog is essential however. This was the observation made by Entrepreneur.com in their article “CEOs Can No Longer Sit Idly By on Cybersecurity”.
Not too long ago, a corporation’s cybersecurity initiatives were discussed only within IT departments. Even when breaches occurred, the spotlight focused on root causes and the technical fixes needed to remedy the matter. Rarely would such an issue have repercussions for any executive team member.
(…)
The loss of corporate data, violations of privacy laws and the degrading or total shutdown of business operations is becoming commonplace in today’s connected environments. These incidents put every organization — and executive team member — at risk.
This means each person on a company’s management team must be armed with the requisite knowledge to make informed decisions about cybersecurity — not just an understanding of the basic concepts. Executives must understand more in-depth technological concepts and applicable laws and the future opportunities for senior IT and business managers, innovators and information entrepreneurs to solve information-security challenges. https://www.entrepreneur.com/article/233911
But the problem remains that the CEO often does not understand the language of the CIO and that the latter, despite being inclined to adapt to the CEO, continues to speak “technology” instead “business objectives”. This observation is made clear in an article in CIOInsights.com called “The Differences Between CIOs and CEOs”. There we learn that when a CIO is asked what their boss expects of them for the coming year, their priorities revolve around the achievement of the income objectives, for the completion of business projects, for the acquisition and retention of clients, simplification of IT, and product innovation. By contrast, when asked what their personal goals for the coming year are they will discuss management of data and statistical analyzes, mobility (including the management, security and “stores” of apps and tablets), of application development including the ERP and CRM, of leveraging the public, private and hybrid “clouds” and security including antivirus, VPN firewall and unique identifiers. Let us say that that is the kind of jargon which offends the big bosses and the management committee of businesses.
So, what’s the problem? The problem is that when the priorities of the CEO and CIO are not in synch it inevitably leads to, at best, misunderstandings about the value that IT is delivering to the organization and, at worst, a communications and credibility disconnect between the CEO and the CIO that can be difficult to repair. Neither one is good for the organization or for the CIO’s career trajectory. https://www.entrepreneur.com/article/233911
A problem of perception
The other major problem of the CEO in the face of the growing risks of cybercrimes, is one of perception. As the expression goes “they are talking the talk but not walking the walk”. Most of the American CEOs are aware of the issues and risks of cybercrimes, they take to heart these and put them in their objectives, but absolve themselves of responsibility by transferring it entirely on to the shoulders of the CIO. In the article “CEOs disconnect between cyber security perception and reality” one can read the following:
The survey, which is based on 200 CEOs from various industries, such as technology, finance, manufacturing, government and retail, discovered that 80% of CEOs are confident in their company’s cybersecurity strategies, regardless of the fact that security incidents have increased by 66% year-on-year since 2009.
Ray Rothrock, chairman and CEO of RedSeal said: “CEOs are underestimating their companies’ cyber vulnerabilities. Their confidence does not square with what we observe. Cyber-attacks are up and financial losses associated with these attacks are increasing dramatically.”
(…)
Plus, 79% of CEOs strongly agree that cybersecurity is a strategic function that starts with executive leadership versus being a responsibility passed on to the IT team, 89% of these same CEOs report reliance on their IT team to make the budget decisions on cybersecurity. http://www.cioinsight.com/it-management/expert-voices/the-differences-between-cios-and-ceos.html
There is still a lot of work to be done in order to make the big bosses aware of the real dangers to which they are exposed and how these risks can be mitigated in order to reduce the risk considerably. That is what I will present in the coming posts.
Benoit Grenier
CEO & Founder
Proactive Risk Management
www.parminc.com
1 Comment