Managing risk is at the forefront of responsibilities that "C" level executives deal with on a daily basis.  Fire fighting--managing business risk--is part of the job description, and planning to prevent the fires is what successful companies do.  In his book Good to Great, management expert Jim Collins uses the analogy of a bus to analyze leadership of Great companies.  When you have the right people in the right seats, Collins says, the company is elevated to a new level.

However, if there is a wall between the driver of the bus (the CEO) and the rest of the passengers, then there ensues a serious lack of communication.  If the passengers know more than the driver about things such as weather conditions and the location of the destination, and there is no way to communicate effectively with the driver, then the navigators can't warn the driver of severe risks that lie ahead.

One of the areas where I continuously see this disconnect is in the area of IT Security. Because technology is an always evolving component of businesses, protecting sensitive data will always be an issue, and hackers will always be trying to find a way “in”.  Chief Information Security Officers (CISOs) are hired to manage this risk.  But when the CEO is ignorant of the risks due to a lack of understanding or an unwillingness to take the time to learn the risks, then the lines of communication between the CEO and CISO are obscured, and important decisions about data security do not get made.

In a published study by CIO magazine recently and PriceWaterhouseCoopers stated that, "only 1/3 of security policies were tightly aligned with business goals.”

Although there is a combination of factors that lead to this disconnect, two primary factors prevail: 1) The CEO, CFO, or COO isn't well informed of the risk of a data breach and what it will cost their organization in real dollars, company value, and publicly perceived value. And 2) The security professional (CISO) understands the vulnerabilities but can’t articulate them in terms of the business cost.  The result is that neither the CEO or CISO are able to effectively quantify the risk.  Risk unquantified is a risk ignored.

Fortunately, the press has provided us with significant examples over the past several months to help us educate both the CEO and the CISO of the risks associated with unprotected data.  In 2012 alone, there were multiple data breaches that cost individual companies BILLIONS of dollars in lost value and recovery cost.

These are the costs resulting from a publicly disclosed data breach:

1. Cost to fix the issues that led to the breach
2. Cost to protect the individuals data / company data that was compromised from future breaches
3. Cost of future audits that will be required to maintain compliance in the future
4. Cost of the fines that can be levied depending on the type of breach
5. Cost of customers no longer willing to trust the organization
6. Cost of the negative press / PR associated with the breach
7. Cost of combatting the negative PR with a new PR / Social Media campaign to assure customers / vendors that everything is okay

At the end of the day, we want to see CEO's succeed by increasing the value of the company in the eyes of the shareholders while reducing the risk of value erosion.  We also want to see CISOs who are confident in educating their CEO's to these risks.  As long as this issue continues to go unrecognized, the CEO has one more fear to keep him up at night.

Can you afford it?

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.