'Good Enough' Probably Isn't

For several years now, I have advocated that CEOs must begin acting as the Commander-in-Chief of cyber warfare for their companies. This role would involve the chief executive building resiliency into not only the business itself but also into IT, which is now key to the survival of the business.

But one after another, CEOs still follow the same IT security road of shame that the leadership of Target and other corporations have taken. The lesson is unmistakable: If you provide poor IT security to your customers, you will soon be looking for a new job.

More than a few companies have flawed and unethical business models wrapped into a highly polished patina of legitimacy and compelling imagery that takes them far... until that moment when the covers are pulled off of a company. The misdeeds and deceptions are not all that different from what's now publicly known about what was going on inside the largest financial institutions in the world leading up the financial meltdown in 2007/2008. ("Uh, we really didn't mean what we said about how those mortgages would perform over the next 30 years!")

The problem of poor internal security controls did not end with the financial meltdown. I will not forget speaking with a potential client from a company that had received numerous large fines for repeated IT security violations. As we discussed the pros and cons of one privileged identity management solution versus another, he became more and more agitated as I explained how one solution would help reduce the fines and breaches they've suffered (all public information).

In the end, he told me that I had no idea about how his company handles IT security, and that he was not interested in my suggestions. He then stormed out. Life is ironic: His company showed up in the national news about a month later for another major data breach that affected millions of consumers. This company did not buy my suggested security solution. They went with another "solution" because of that product's pretty interface.

I don't blame the employee. His senior management clearly did not provide the right criteria or incentives to purchase solutions that help with real IT security problems. And pretty user interfaces don't solve critical cybersecurity issues.

We work with a lot of great companies that have embraced acceptable loss as a reasonable and prudent strategy. Yet even with this approach, there is still sometimes bad news from IT about cyberattacks. But there are few surprises -- nor are there long periods of time where hackers nest in the environment and extract data at will.

The leadership of an organization must be up-to-date on cyber warfare threats and how the organization must prepare and operate to minimize losses. This does not mean leadership must know the deep dive details of specific threats, but they must understand how infiltration and exfiltration of data as well as destruction occurs in the cyber field.

Leadership must take action when presented with audit findings to terminate ongoing risks via both organizational changes and the implementation of technology as quickly as possible. Leadership should test the mitigations regularly to confirm the problems found have been resolved and more importantly, recheck the controls to assure that there is no backsliding to old destructive behavior.

There is a clear lack of visibility to the CEO and Board of Directors to the weaknesses and the inability of IT to manage risk and mitigate consequences to known outcomes. From a leadership point of view, many companies are running companies and government agencies with a ticking time bomb and no ability to stop it or reduce the consequences of a breach. Not all of the blame lies with IT, but senior leadership of companies are not building resiliency into their business operations when it comes to IT.

With more corporate board members now taking a hard look at information security, I predict we'll start seeing a revolving door of senior corporate leadership. Many executives will be forced to move on, simply because they don't "get it" when it comes to IT security.

Board level members know that security breaches are inevitable and they may be held liable for their failure to guide the company toward an operational posture that responds appropriately to cyberattacks. In this oversight role, the Board will push the CEO for answers on how the company can achieve acceptable losses via a cyber defense strategy. And while the concept of acceptable loss is not new for the CFO and CEO, when it comes to the spooky and complex world of IT, it appears there is a blind spot they're ignoring at the peril of their careers.

Related posts:

— Philip Lieberman, noted cybersecurity expert and founder of Lieberman Software, has more than 30 years of experience in the software industry. He is frequently quoted by international business and mainstream media as well as industry news organizations, and has published numerous books and articles. Lieberman taught at UCLA, and has authored many computer science courses.