In a recent Gartner press release written in an article September 1st Gartner predicts 75% of CEOs will be personally liable for cyber-physical security incidents by 2024. The famous last words “I wasn’t aware” or “ Oh that’s our CISO, they handle this” can no longer be handed that hall pass. What’s that old saying about ignorance of the law? While ignorance is bliss said Cypher in the movie Matrix, we can no longer afford to just leave security in the hands of just those deemed to protect it. Ok? But our CEO is not technical, how do we expect our CEO to understand our complex infrastructure. CEO’s are no longer made in 1950’s they do understand there is a need for security and they certainly understand the cost of not having it. It all starts with a simple conversation. As a small example, when we all log into Slack in the morning and can’t wait to be the first person to post that latest threat or data breach news article in our group chat, don’t forget to include your CEO. Who knows you may get a response asking “Are we protected against this?” Of course this one action isn’t the end of the story but a beginning of a dialog way overdue.
That’s the reason I have cyber insurance” says the CEO. Not so fast, the market capacity for cyber insurance is not large enough to adequately cover all risk liability in a breach. Typically insurance payouts are limited between $500,000 and $5 million per occurrence. If you remember the Equifax breach back in 2017, they agreed to pay a minimum of $575 million to those affected by said breach. Just a taste over the five million dollar limit I’d say. In 2016 the CEO of Uber was aware of a breach two months in advance before it came to light leaving 57 million accounts compromised and over 600,000 driver’s license numbers along with millions of names and home addresses exposed leaving drivers and riders open to darkweb vultures poised on identity theft. Outcome consisted of $100,000 in Bitcoin paid by the CEO to the hackers cleverly disguised as a bug bounty and in turn the group signed non-disclosure agreement that falsely stated they had not stolen any UBER data. I did tell you CEO’s aren’t made in the 50’s right?
The point of this piece is not to place blame on a CEO nor lobby they certify as an ethical hacker but it is time for “equal accountability”. Captain Edward Smith once said "Well boys, you've done your duty and done it well. I ask no more of you. I release you.” Great words in a time of chaos. Is CEO security awareness as critical as the sinking of the Titanic? Of course not but we do look to our leaders in a time of crisis or chaos as that guiding light and trust they make the right decision and have the company’s best interest in mind. The CEO is in some ways is the Captain of the ship and is responsible for not only employee physical safety but safety of data and how a breach may affect the safety of the customer. One unfortunate example of security affecting lives comes from an article written by our own Mike Talon titled “When Ransomware Kills.” During these trying times as we deal with this pandemic we have a saying, “we are all in this together.” Not to draw a line between the two but we are in this together and this should also teach us we all have a part to play even as we work from home on that kitchen table we call a desk. Are we looking for the CEO to go down with the ship? No but there comes a time when forecasting critical corporate security requirements has a shared seat at the CEO high table known as “the quarterly numbers forecast". I know, easier said than done but when the alternative includes the typical statement “We’ll just make security a priority after the breach” pushes the company down that slippery hill into the waiting arms of the adversary patiently waiting for a quick payday. Even paying the ransom does not guarantee safe return of stolen records and not to mention simultaneously furthering the damage of customer confidence and data privacy. Do we have to wait for laws, penalties and regulations to save our customers or can we empower those who yield the power understand the road to risk is a four way stop. Look, Listen, Plan and Execute.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request here.
I have a company to run, I have shareholders entrusting in me to bring profits, growth and name recognition every year. Why does this fall on my shoulders and not the CISO? I just don’t have time for endpoint this and virus that. As laws and penalties have not been defined or outlined as of yet in regard to data breaches, that does not give the CEO the green light to shrug shoulders when a breach occurs. Is the CEO at fault? Not necessarily but as they say the road to hell is paved with good intentions. The way corporate roles are laid out today there has not been a clear way to involve the CEO in day to day security activities. The CEO is typically walled off to such things or just plain not interested. Are we in the news? No? Out of sight out of, well you know the rest. How to unsilo. Step one, find common ground and purpose. Set a new corporate standard and build off what you are already have in place. Are you phishing your corporate users? Great include your CEO. Nothing like a good air ball at the end of the 4th quarter. You are not looking to embarrass your CEO but you are trying to bring awareness and bring them into the conversation. After all the CEO is in charge of all things corporate and the last stop. Step two. As the CISO you are in charge of keeping all the doors locked but that does mean you cannot leave a door open for the CEO. Start the dialog, share a security report from time to time that empowers the CEO with good and bad information. Don’t forget the Silo. Have a plan to which you involve the CEO. Let them be the one that is able to answer the question “are we getting better?” Do not be afraid to feed the Bear. Paralysis by analysis or withholding this type of information is what gets the company into trouble in the first place. We all have our HR training required to maintain employment but usually has limits on security type content. The do’s and don’ts of email and badge tailgating etc.
I think it’s time to extend this training to cover adversarial breach and attack content to not only the employees but more importantly the executive staff. We all hear about breaches in the news and we hope it’s never about us. Not everyone understands the what? but it’s time they do. Talk about saving money through security education. Pay a little now or pay a lot more later. If we can start the security wheels turning in the right direction, your CEO will be better prepared. When you hear your CEO talking about closing security gaps along with promoting testing and validation of your corporate security controls you know A.) hell has frozen over and B.) but more importantly when your CEO gives that public address about that breach attempt, it will be how you were prepared and properly defended against and not the dollar amount you paid in ransom or the 500 Million dollar fine and the loss of customer confidence you now have to somehow win back. Invest in the right people. Invest in security awareness education. Invest in the right security platforms the first time. Invest in your customers. Invest in yourself. When you evaluate, first Cymulate.
Jonathan Brothers is Field CTO for North America at Cymulate. Jonathan has over 18 years of Cyber Security experience managing and training security personnel around the world. His passion is enabling security and disabling threat actors. With his ethical hacking background he likes to say “some people live their life on the edge, he lives his life on the endpoint”.