During a presentation I gave at a recent Gartner security event, I suggested that CEOs must begin acting as the Commander-and-Chief of cyber warfare for their companies. This role would involve the chief executive building resiliency into not only the business itself but also into IT, which is now key to the survival of the business.
Last week the CEO of Ashley Madison resigned as a result of the very public data breach that company suffered. This CEO follows the same IT security road of shame that the leadership of Target and other corporations have taken. The lesson is unmistakable: if you provide poor IT security to your customers, you will soon be looking for a new job.
As researchers have delved into the business model of Ashley Madison (above and beyond the moral issues), the data breach brought to light disturbing elements of the company’s leadership, IT operations and business model.
Ashley Madison is Not Alone Among Companies With Poor IT Security
Ashley Madison is not unique in having a distorted moral compass. More than a few companies have flawed and unethical business models wrapped into a highly polished patina of legitimacy and compelling imagery that takes them far… until that moment when the covers are pulled off of the company.
The misdeeds and deceptions of Ashley Madison are not all that different from what’s now publicly known about what was going on inside the largest financial institutions in the world leading up the financial melt down in 2007/2008. (“Uh, we really didn’t mean what we said about how those mortgages would perform over the next 30 years!”)
The problem of poor internal security controls did not end with the financial meltdown. At one of the recent trade shows I attended, a potential client stopped by our booth from a company that recently received numerous large fines for repeated IT security violations. As we discussed the pros and cons of our privileged identity management solution versus our competitor’s offerings, he became more and more agitated as I explained how our solution would help reduce the fines and breaches they’ve suffered (all public information).
In the end, he told me that I had no idea about how his company handles IT security, and that he was not interested in my suggestions. He then stormed out of our booth. Life is ironic: his company showed up in the national news about a month later for another major data breach that affected millions of consumers. This company did not buy our security solution. They went with our competitor because of their product’s pretty interface.
My guess is that the CEO of this company will soon be in the same unemployment line with Ashley Madison’s chief executive, since their corporate leadership put little effort into IT security or resiliency. I don’t blame the employee who visited our booth. His senior management clearly did not provide the right criteria or incentives to purchase solutions that help with real IT security problems. And pretty user interfaces don’t solve critical cyber security issues.
Acceptable Loss as an IT Security Strategy
With more corporate board members now taking a hard look at information security, I predict we’ll start seeing a revolving door of senior corporate leadership. Many executives will be forced to move on, simply because they don’t “get it” when it comes to IT security.
Board level members know that security breaches are inevitable and they may be held liable for their failure to guide the company toward an operational posture that responds appropriately to cyber attacks. In this oversight role, the Board will push the CEO for answers on how the company can achieve acceptable losses via a cyber-defense strategy. The concept of acceptable loss is not new for the CFO and CEO. However, when it comes to the spooky and complex world of IT, it appears there is a blind spot they’re ignoring at the peril of their careers.
We work with a lot of great companies that have embraced acceptable loss as a reasonable and prudent strategy. Yet even with this approach, there is still sometimes bad news from IT about cyber attacks. But there are few surprises – nor are there long periods of time where hackers nest in the environment and extract data at will.
You Can’t Stop All Losses That Occur During Cyber Attacks
Some people have asked me if our privileged identity management technology stops all losses during a cyber attack. The answer is no. Our products are part of a cyber-defense process that minimizes loss by design and operation. By keeping your machines clean of excess privileged identities, and putting a short lifetime on high powered credentials, the consequences of cyber attacks can be minimized.
The secret sauce is the process that companies follow, as well as the automation of security known as DevSecOps. Since this process causes outages and inconveniences, we cycle back to the CEO and Board of Directors, who are the only entities that are authorized to reinvent the organization for IT resiliency and security.
It’s inevitable that the lifetime of CEOs will begin to decrease as the Board becomes IT security savvy. Just like we saw with Ashley Madison, expect to see more CEOs “resigning” in response to new data breaches.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.