Why are CEOs failing cybersecurity?

Why are CEOs failing cybersecurity?  Perhaps because of a misconception that cyber security is the responsibility of IT alone.  But surely protecting the organization’s brand, employee and client files, and proprietary information are key to its success, and therefore critical to its leader.

A single cyber incident can cost far more than just the money to investigate and remediate the attack itself.  Notification of affected parties can run upwards of $2-$4 per record, adding up to millions for breached organizations such as Target.  Lawsuits often result in additional damages.  Regulatory fines not only typically start with six-figure sums, but are almost never covered by cyber insurance, and you don’t even actually have to be breached to incur a fine.  Reputational damage is more difficult to calculate, but it is also very real, and some organizations don’t survive.

CEOs are being held accountable.  In May of 2014, Target’s CEO resigned following their massive public data breach.  That September, Home Depot’s CEO announced he was stepping down shortly before their breach was made public.  2015 saw the firing of Sony’s CEO as a result of the December 2014 breach, and  FACC, and aircraft parts manufacturer, just fired their CEO after a cyber scam cost the company $55M.

The risk to CEOs is clear.  While no one can prevent 100% of incidents, there are key things that you as the leader need to know with certainty.  The Dept of Homeland protection provided “5 Questions Every CEO Should Know”, and that’s a great starting point.  Ask the questions, and don’t stop asking questions until you understand the answers.  Test your controls and your staff.  Monitor for unusual behaviors.  And be prepared with incident response and the right cyber insurance coverage to minimize the damage should an incident occur.  By doing all of these things, you will have demonstrated your due diligence in protecting the assets that have been entrusted to you.