Why more CEOs will be fired after a cyberattack

The cyberattack on Equifax is a sobering reminder for any CEO of the perils involved with data breaches. Regulatory trends indicate increasing responsibility for boards and executives in reporting and preventing cyberattacks. 

It’s just another aspect of burgeoning risk that hits senior executives directly. While you can’t control if you get attacked, you can control your organisation’s readiness to respond and weather the storm.

At no point is an organisation ever perfectly protected. It’s a legitimate business decision, however, to choose to accept a reasonable amount of risk. You don't have to be the most protected organisation on the planet. Indeed, if you choose to push endlessly towards reducing risk, there’s a law of diminishing returns.

Continuously driving to eliminate risk will eventually have a negative impact on your business by harming efficiency, lowering customer satisfaction or <pick a negative impact>. For anyone on the board who doesn’t believe this, please hand in your smart phones and tablets because they aren’t safe! 

CEOs need to reset their approach to risk and security, otherwise they risk getting fired. The purpose of the security program is to create a balance between the need to protect and the need to run the business.

Gartner has identified seven reasons why more CEOs will be fired over cybersecurity breaches, and ways to hold onto your job.

1. Accountability is broken

Accountability today means “who do we fire when something goes wrong.” Organisations need good accountability to be successful. If being accountable means you get fired, no one will engage. The reality is that more CEOs will be "held accountable."

In the future, you’ll look back and judge the defensibility of the decisions that were made before the incident. Were you spending the right money on the right things? Are you defensible to your key stakeholders?

Without good risk engagement there’s no accountability – "I just did what the security people told me to do." Sell your executives on defensibility of decisions, not protection.

Strong accountability models, in which risks rest with those that have the authority to address them, ensure that systemic security problems are not allowed to fester.

2. The cultural disconnect

There’s no such thing as perfect protection. Many boards will lead you to believe they understand this, but they don’t. They still think this is a technical problem handled by technical people, buried in IT. They believe this problem can be solved.

What happens if you tell an executive you have a patching problem? They say: "well, why don't you fix it!" Reporting levels of patch readiness to executives only tells them that you’re doing your job.

“I trusted the security people to get this right” will lead more executives to getting fired. By hiring the right people with the right technical knowledge, you can lessen the chance of being attacked and stay out of the headlines.

3. The server that never got patched

While there may be a legitimate business reason, many organisations have a handful of servers that never get patched. The problem is that no conscious business decision is made. It could be a business unit executive making the call, which never gets recorded or reported.

Invisible, systemic residual risk is everywhere. Conscious decisions need to be made regarding what an organisation will do, but more importantly, what it won’t do to protect itself.

4. Your security officer is the defender of your organisation

Security staff are hired because they’re experts and their job is to protect the organisation. This silos the issue, placing people in charge of protecting business outcomes they don’t understand.

Engage your executives — this is their risk.

5. Throw money at the problem

You can't buy your way out — you still won't be perfectly protected. Organisations that have doubled their security budget are starting to build unsustainable solutions. Lack of consideration for ongoing operational costs is a common problem.

Avoid negatively impacting business outcomes by raising operational costs and potentially damaging the ability of the organisation to function.

6. Risk tolerance and appetite are fluffy

Organisations create generic high-level statements about their risk appetite that don’t support good decision making.

Avoid promising to only engage in low risk activities. This is counter to good business and creates another good reason to fire you if you engage in risky activities.

7. Social pressure

You got hacked? You must have done something wrong.

Blaming an organisation for getting hacked is like blaming a bank for getting robbed. The difference is that the banks are defensible — most organisations aren’t. This isn't fair, but sometimes people just want heads to roll.

Mayors don't get fired because a fire burns a section of town; they get fired for lacking the investment in readiness to deal with a blaze that got out of control.

The first step to recovery is to admit you have a problem. Your actions reinforce how people perceive the problem.

Tom Scholtz is a research vice president, Gartner Fellow and chief of research for security and risk management. He advises Gartner clients on security management strategies and trends. Tom will be presenting at Gartner Security & Risk Management Summit in Sydney, 20-21 August 2018.