In the first installment of our series on security and the CEO, we discussed the dangerous disconnect between the rosy view of security held by the C-suite and the much grimmer reality seen in the trenches of IT. Today, we’re going to talk about the consequences of executive overconfidence in your information security program.
At a high level, executive overconfidence breeds a risky environment. Overconfidence and complacency across your organization will likely lead to inadequate spending on information security as your CEO’s false confidence will result in funding being allocated elsewhere. Vulnerabilities that need to be addressed will be neglected instead, leaving you open to what many will consider the inevitable outcome: a breach.
Your Company Is at Risk
Not all companies have the financial or reputational safety net needed to rebound from a breach. The damage caused by preventable security breaches is severe. On average, a breach costs organizations $4 million after the fact, including the loss of business resulting from damaged customer trust.
With all the options available to customers today, both in consumer and commercial spaces, customer loyalty is already low. A breach can easily convince your customers to take their business elsewhere. They’ll have to jump through hoops to feel safe doing business with you in the future, after all. And though customers may come back, no one can count on that.
Can your company survive a loss of that magnitude? After all, even if stock prices rebound over the long term, companies hit with a breach will still experience significant pain and financial impact.
CEOs Are More Accountable
At least some of that pain will hit in the form of job losses, including your CEO’s—a powerful point to bring up as you discuss security realities with yours. While CEO jobs are traditionally quite secure, with a minute two percent turnover rate, heads sitting as high as the C-suite will roll fast and without much of a fight after a data breach.
Consider Gregg Steinhafel, former CEO of Target. One hundred million customer accounts were compromised on his watch, and as the dust settled, he stepped down. As Wired points out, “[i]t turns out his job security needed more information security.”
Today, breaches and cyberattacks are viewed as a broad, systemic issue, a shift away from the former focus on the CISO and IT security team. Executives in the C-suite are the ones who hold the purse strings and set the priorities in organizations, after all.
A recent survey found that board members are most likely to hold the CEO accountable for a breach—even more so than the CIO. Nearly half of respondents also indicated a belief that CEOs should bear the brunt of breach-related backlash. That should provide some heavy food for thought for any CEO resistant to investing in a comprehensively modernized security strategy.
Security Impacts Everyone
The fact is, security impacts both the top and bottom lines at any company. And at any company, security vulnerabilities and preventable breaches can severely impact not only operations, but also the career of even the highest-level executives. Demonstrate to your CEO that you’re an ally who can provide concrete job protection and you’ll be much closer to approval of the security investments you know your organization needs.