Preparing for a Cyber Incident
Organizations need to have cybersecurity and risk-mitigation policies embedded into their culture and business DNA. Phil Lieberman, founder and CEO of Lieberman Software, was quoted on The Next Web in a September 9, 2012, article stating: “Many companies don’t even have a Chief Security Officer—these are multi-billion dollar companies” (https://thenextweb.com/insider/2012/09/09/why-companies-bad-responding-data-breaches/). We have experienced this firsthand with some of the largest security providers in existence today. In the same article, Lieberman goes on to explain that corporations may look at security as only a cost-risk model (https://thenextweb.com/insider/2012/09/09/why-companies-bad-responding-data-breaches/). There are valid arguments to be made from that line of thinking. Major data breaches that occurred at Target, eBay, Home Depot, and many others resulted in loss of value and a drop in stock price in the short term, but the long-term outcome was that they recovered from the security incident. We sometimes hear the argument, “Is a significant investment really needed when responding to a breach? After all, Target and Home Depot are still in business.” We would counterargue that both of those companies, as well as many others that went through data breaches, spent quite a bit of time and money attempting to win back public confidence, upgrading their systems, and implementing effective response plans for future incidents. This also takes away focus from other planned enhancements ultimately impacting customers and the organization. Regarding costs, most of the time it is far less expensive to develop an incident response plan proactively versus reactively. The problem is that it is common to get the proper approved funding only after the incident. When you ask proactively, you may get a response like “You are just talking about the cyber boogieman” as you explain the risk of being compromised.
It is absolutely critical that organizations have support from the executive (C-Suite) level for cybersecurity measures. If corporations do not have an executive sponsor for cybersecurity, they need to implement a structure that supports executive ownership of cybersecurity issues. Some organizations have their Chief Security Officers (CSOs) reporting directly to the board of directors while other smaller organizations have given traditional responsibilities of the CSO to the Chief Financial Officer (CFO) or Chief Technology Officer (CTO). Although it is not always realistic or possible, moving the CSO position outside the chain of the C-Suite executives can make quite a bit of sense. The CTO and Chief Information Officer (CIO) have roles to implement technology solutions to enable a business (hopefully in a secure manner). The CSO, however, should ultimately be responsible for enabling security while at the same time understanding the requirements set by the CTO or CIO for business operations. Having the CSO sit outside the traditional hierarchical organization chart not only allows for separation of duties but also reduces conflict of interest. Regardless of politics or personal beliefs, one only needs to look at the relationship between former director of the FBI, James Comey, and US President Donald Trump to see why it might be a bad idea to be put in a position where you need to enforce policies for your own boss. This is the same reason many organizations remove the CSO position from the standard management structure, which is simply to remove potential conflicts of interest.