There is a lot of pressure for those responsible for protecting the information and assets within an organisation. These could be those who wear the Chief Information Security Officer (#CISO), Chief Information Officer (#CIO), or similar security role. Often the case, security is just passed to a non-security person called the IT Manager or Chief Executive Officer (CEO). Sound familiar?
Worst yet, many companies still do not have anyone with security responsibility.
These leaders can leave the job for various reasons, but we often see that after a security breach, many do not stay long after. Here are just some examples:
- Gregg Steinhafel “resigned” as Target Corp.’s CEO following the data breach that exposed million over 40 million credit and debit card accounts, along with personal information of 70 million customers.
- Equifax’s CEO Richard Smith “resigning” following a hack at the company that compromised the data of 143 million Americans.
- Only in the last 7 days, Bed Bath & Beyond’s technology chief “resigns” after a “possible” data breach
Many leaders were “resigned” I’m assuming by “mutual-agreement”. Of course, leaders are not always let go, but a good proportion are. Techrepublic in 2018 reported that 31% of data breaches lead to employees getting fired. This is a huge disruption to the business as staff are often single points of failure (SPOF). Now, I’d like to think that they were good at their job, so here are some possibilities:
- They were not good at the job and negligent, and were rightfully fired.
- They were good at their job, but the business still felt the “need”to fire.
To Fire, Or Not To Fire…
Let’s take a look at some things, that your business may consider when deciding to fire or not to fire.
Visibility of Risks
I’m not expecting every organisation to develop new controls to countermeasure every single vulnerability. However, what I would expect is that the security leader informs the risks to the business. Businesses make decisions every day and often the role of the security leader is to report the information in C-level/board speak. You need a channel to report risks up. Without this channel for reporting, there is little visibility to the top decision makers of the business to take action.
Is there a clear process for managing risk. If not, this can lead to poor decision making. Often, when I ask companies what is your risk appetite level, there is a blank look. Clearly, risk management is not solely for security risks, so not defining the risk appetite suggests there is a wider problem outside of the security leader.
Now you find you are battling for the usual things: Time, Money, Headcount etc. If so, you’re not alone. The security leader may find that too. Yes, we do need the Sales teams, the Service and Delivery Teams and Customer Agents to have the security mindset. However, they are not the ones giving you what you need. It first starts from the top. As your role as a security leader, you need to win the hearts and minds of those above you and around you. If top management is not committed to security, you are likely to have a very challenging time implementing security. You need budget, time and headcount to drive a security culture.
Also, security staff are hired to protect the business. However, the security leaders need to change this isolated view and enforce the mindset responsibility is the senior management.
What steps can you do if you are a security leader?
It’s difficult to say what will truly be effective in any business, as it depends on the people above you. However, here are some steps that could help you fight/defend your case.
- Visibility: Get visibility above you. With the right structure and channel, the board has a chance of making better decisions.
- Accountability: Assign accountability to the business board/senior management. Get them to understand the business is fully accountable. If your role is to present the risks, senior management is to decide what to do with the risks and get the output signed off. If there are known vulnerabilities and risks, but the board has signed off they accepted the risk and no further action will be taken, this better protects yourself.
- Culture: Drive the importance of security from top down. Again, this goes down into making the board and senior management aware of the risk and that it is a collective effort, not just the IT department.
The Blame Game…
Is it clear from the outset who is accountable for security? Who is going to accept risk and be accountable when something goes wrong? Businesses are too easy to show customers that PR spin “A sophisticated attack” has occurred (are the attacks really that sophisticated), that “steps were taken as soon as we noticed unusual activity” (perhaps, it took 2-4 months before anyone noticed), and that it was publicly declared the security leaders were soon fired (protecting senior management/board).
Now, if this was simply down to negligence of the security leader, granted, they should move on. If this occurred, because despite the security leader doing their job, the business decided not to do anything about it or give the appropriate support, we should not be quick to jump on the blame game. The other question is, do you still want to work in that same place and environment where there is no support or change of appetite for security?
What we teach on The PROTECT Protocol™ is to address the above problems, by ensuring the right structure, communication channels, how techniques for winning the hearts and minds of the business, types of controls and more. This helps get clarity of roles and responsibilities for security and get the business to take more action more efficeintly, as well as better protecting yourself.
Although nothing can be guaranteed, you may have a better chance of surviving, but demonstrating you did your job and the business decided not to take action. Businesses are worried not just the costs for the breach itself, but PR. It’s too easy to play the blame game. The industry is a small world, and your name spreads like wildfire when something goes wrong – I am sure you want to best protect your name and reputation too.
Hope that helps. Feel free to share if it will help someone. Until the next post…
👉 Like What You Read? Be a rockstar and just give me 5 more seconds by sharing this page on LinkedIn.
👉 Want More Tips/Hacks To Improve Security and Compliance Faster? Then take 10 more seconds to click on my profile, connect and follow me: https://www.linkedin.com/in/mqhopewell/