As this year draws to a close, it’s starting to look like 2015 will be labelled as the year of ‘Pin the tail on the CXO’. If 2014 was considered the year of the data breach, from the Target and JP Morgan hack attacks to the 40 percent of businesses that experienced data loss, then 2015 was when the finger pointing began as large corporates saw to allocate the blame. So what can we learn going into 2016?
Dido Harding, CEO of TalkTalk, seemed to follow the Corporate Comms rulebook in fessing up to the data breach in October. But she quickly came undone when questioned under scrutiny on the technicalities. Was customer data encrypted? She didn’t know. What was the extent of the breach? She wasn’t sure, was it over 4 million? No, it transpired it was closer to 400,000. But if Harding won points for honesty, she lost them for post breach customer care when she chose not to waiver termination fees for customers that wished to close their accounts. The verdict? There had been far too much bean counting both before and after the event.
Harding’s public dressing down typified a shift in mindset from one of corporate alarm to one of resignation. Rightly or wrongly, big business has come to accept the fact that the data breach is an irritating but inevitable consequence of the digital economy. The mantra goes ‘it’s not if, it’s when’ a data breach will occur, so the corporate exec believes they will one day need to take it on the chin. Nod to the flashing bulbs, diffuse the situation by making the necessary conciliatory gestures, wait out the storm… until its time to come bouncing back. Bloomberg reports that JP Morgan’s CSO, Jim Cummings, for instance, has been reassigned to another position within the bank.
So if heads don’t roll, has pushing cyber risk up the corporate agenda really worked? Well, yes and no. C-suite execs are now better informed, as a rule, when it comes to cyber risk, with regular risk reporting. Cyber spend is also undoubtedly now more of a priority, although estimates suggest most organisations spend over three quarters of their budget on defensive security measures aimed at keeping attackers out. That leaves just a quarter of the budget to deal with those attacks that are successful.
The problem is that while the head may now be listening, it still doesn’t know what the tail is doing. Until the organisation embeds cyber security into the way the business functions, both in terms of people and process, there will always be miscommunication, misunderstanding and missed opportunities for improvement, creating exploitable gaps in security.
Going into 2016, there has to be a greater emphasis on security as an intrinsic part of the business. A cultural shift needs to happen whereby security is not an add-on but part of how the business operates. Yes, there needs to be top-level steerage, but the intelligence needed to make those decisions has to come from elsewhere in the organisation, requiring a joined-up security strategy.
Cyber risk needs to be evaluated, appraised and communicated in such a way that it translates technical knowledge into actionable intelligence. Data needs to be afforded appropriate protection according to its value at any given time and any change in state needs to see that protection adjusted accordingly. Access needs to be awarded according to need, with tools such as encryption and authentication used effectively.
That’s the bare bones of good security policy but where it gets interesting is how that can be built upon to create better working practices. Create a two way street: don’t just educate staff but encourage them to report back through an open disclosure programme and incentivise good working practices. Look at how security controls will be implemented: no, you can’t plug every hole, but you can make it difficult to access sensitive data. And look at how you will maintain Business as Usual in the event of a breach: don’t just focus on the rhetoric and media comms plan but on how you will isolate, assess, and report the most vital information to ensure appropriate action is taken that is communicated to the CXO.
One thing you can be certain of in 2016 is that we will continue to see plenty of data breaches. What remains to be seen is whether we will begin to see spend focused on where it needs to be to protect data. Will we see informed C-suite execs who know their organisation inside out and can disclose with candour? Or will be see a further shift in focus from alarmism to apathy? Only the future will tell.