Download the white paper "AES Encryption Strategies - For the IT Executive"
CEOs swim in a sea of risk, and become very adept at identifying, assessing, and managing the risks they know. These risks include financial, regulatory, reputational, physical, and many others. The CEO has many other tasks besides addressing risk, of course, but assessing, monitoring, and mitigating risk is a critical part of the job.
With the rise of data breaches worldwide, IT security has become a new risk that seems to be the most ignored. Even though technologies exist to prevent the majority of these breaches, little is ever done to take preventative steps.
Since the fallout cost of a data breach is on average in the millions, why are CEOs so bad at assessing IT security risk?
Here are some answers I’ve gathered based on my discussions with CEOs who have experienced a data breach:
It’s a new threat
It’s human nature to mis-understand the potential damage of newly emerging threats. When DDT was first discovered, it was treated as a miracle pesticide. It took many years to understand the threat to human health and natural systems from the use of DDT. In many ways the situation is the same today in relation to Internet commerce and data security. Many CEOs just don’t see the potential damage a data breach will have on their organizations.
CEOs don’t have the tools to assess the risk
With our financial systems we have many tools that help us assess risk. Expense ratios, profit and loss statements, retained earnings, asset ratios, and many other tools allow the CEO to assess the changing nature of the financial status. It’s easy to see this risk as it develops. It is not yet a common practice to do the same with IT security risks.
Although there are many tools available to monitor IT security risk such as system logging and file integrity monitoring (FIM), few of these tools are made to be easily interpreted by a CEO, and many CIOs are not in charge of these tools. In many cases the CEO turns to the CIO and asks “Are we OK,” and often gets an equally soft answer: “Everything is OK. Our consultants and vendors tell us that we are fine.” Real information is hard to come by, and thus everyone is surprised when the data breach happens.
A persistent state of denial
Many CEOs engage in a common form of magical thinking. They tell themselves that “It hasn’t happened to us yet, so it probably won’t.” But security professionals know that a data breach is a matter of When, not If. Assuming something won’t happen to you because it hasn’t happened so far is not a form of risk assessment.
Underestimating the damage potential
Another common risk assessment failure among CEOs is the failure to understand the full impacts of a data breach. I’ve heard many executives say things like, “If it happens to us, we’ll just pay the fine.” The problem with this thinking is that the fine, if there is one, is a tiny fraction of the damage to the organization. Data breaches often lead to expensive litigation, years of on-premise security audits, shareholder lawsuits, credit monitoring services, lost goodwill, and lost revenue through customer defections. The impacts are often much larger than the CEO was ever expecting.
The danger to the CEO’s job from inadequately assessing IT security risk is real. Few CEOs survive long after a large and embarrassing data breach. And a stellar career history is tarnished by the painful public exposure that follows the data breach.
Real change will take place when CEOs fully come to understand the nature of IT security risks, and begin to hold the organization, and themselves, fully accountable.
Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.