We live in a world where cybersecurity breaches have become everyday occurrences. The headlines generally describe the same scenario, played out again and again. Bad actors find a backdoor, companies and government agencies are blindsided, consumer data is compromised. The next day, or the next week, it happens all over again. I can point to at least three stories in the past three years that share this common thread.
The first, a 2017 Politico dispatch detailing a breach in the Office of Personnel Management (OPM). The headline reads: “House report: Massive OPM breaches a failure of leadership.” The story highlights a pressing concern in our country – the threat of foreign powers infiltrating our government, our elections and infrastructures. And we should be – historically, this type of breach is the first step in the playbook. First a foreign power gains access to information about people with security clearances – people in the most highly trusted roles. Next, that information is used to compromise those trusted people and to gain access to sensitive systems and information. Very few people understand just how devastating the OPM breach was to our future and our national security.
The second is a 2018 story in Forbes. The author says, “CEOs: The Data Breach is Your Fault.” And the third, published in March 2019, is from Harvard Business Review. It describes how the Marriott breach was handled by the hotel chain’s board of directors. The article was not complimentary; it bemoans the fact that Marriott did not have a cyber risk committee and that none of its board’s 13 members have a deep cybersecurity or technical background. But it misses the point – those are not critical components of cybersecurity, and having a cybersecurity committee reinforces the problem of a disengaged leadership relying on outside experts.
The question they should be asking is this one: “Are the board members and the C-Suite leaders cybersecurity-literate in a manner commensurate with their positions and do they understand their roles in institutional cybersecurity?” This question would drive home the point that the problem is within, and not solvable by just hiring outside experts or forming a committee. Cybersecurity should be considered a horizontal skillset – not just a vertical one.
What these stories have in common is that they are about leadership failures. They were not talking about the CISO’s leadership failure. They were about failures taking place above the CISO, at the CEO and board of directors level. The articles ask good questions, such as why did it take 11 weeks for Marriott to notify the public? And why did it take the OPM leadership several years to do the same?
Notifying the public is part of incident management responsibilities at the top. It is not an action that the CISO can take. The job belongs squarely with the executive leadership above the CISO, CIO and CRO. How will these leaders perform their cyber incident management responsibilities if they don’t know anything about the topic?
The author in the Forbes article cites three CEOs who were fired for a cyber breach. By all accounts, these three CEOs did not know much about cybersecurity; not enough to prevent the incident and certainly not enough to perform their cyber-incident-management responsibilities. It is almost certain that these leaders were aware – are ever more so aware – of what is happening with respect to cyber breaches in other companies. One can imagine that these leaders at the top are more than just concerned. One can further imagine a hurried call for the CISO to have a meeting with the CEO or to brief the board after each one of these breaches. They all want assurances that the same will not happen to them. But it will.
Cyber breaches are happening with alarming frequency. What are these leaders not getting? Poll after poll shows growing awareness, concern, and increased budgets. Let’s look at some of the specifics and make some suggestions using the old tried and true (and admittedly boring) Responsibility, Accountability, Consulted and Informed (RACI) matrix to show where it is that corporate leadership is failing.
A RACI matrix for cybersecurity leadership assignments would array the board members, CEO and other C-Suite executives on the top row with the major cybersecurity compliance tasks in the first column. The intersecting cells assign the respective RACI obligations.
This means boiling down the vast world of compliance to the major tasks, the ones that require executive RACI engagement. An example is the legitimacy requirement for General Data Protection Regulation (GDPR) privacy compliance. This requirement is a policy supported by processes and technologies to assure legitimate use of personal information. In practice, this requires knowing and authorizing every bit of personal data, the kind keyed in, purchased from third parties, and generated from business intelligence. This is the metadata, and network data that is used, collected and processed to identify people and their behaviors. That is step one. And it’s not easy to complete.
Step two is to determine if data retention meets a legitimate (as defined in the regulation) purpose in regards to the interests of the data owners. The owners of personal data, according to the privacy regulations, are not the companies doing the collection. The companies are supposed to be stewards of the personal information whereby both parties, owners and companies have benefits and rights. The data owners are the people whose personal information has been collected. Determining which data should be collected and stored is also not easy.
Thinking through this lens is a tectonic departure from how companies have operated in the past – and starts to give insight into why companies have been non-compliant in meeting their breach disclosure requirements. Rarely have companies asked questions like: “What personal data do we have? Where is it stored? To whom do we sell it? From whom did we buy it? What was lost, and how do we know?” This is a short list of questions. The detailed list is longer, and the time it takes to answer each question is monumental.
Completing these two steps is a fundamental aspect of privacy compliance that allows the company to meet further obligations, like notifying the people affected by a breach that their data is no longer under the company’s control. This is the kind of preparation that executive leadership needs to undertake to prepare for a cyber incident.
Now to the crux of the question. Which positions listed at the top of each column in the RACI matrix are Responsible, Accountable, Consulted and Informed? In the past, only the CISO has been expected to shoulder all these responsibilities. This doesn’t work.
CISOs do not own the Responsible and Accountable requirements for personal data. CISOs have a responsibility to provide protection. The head of each business unit, including sales, human resources, marketing, legal etc. is responsible for ensuring that they can answer the questions of data privacy compliance for their units and for keeping senior leadership informed. And senior leadership, including the CEO and board of directors, is responsible for holding unit leaders accountable, for consulting with their people, and for actively staying informed.
Cybersecurity is a team effort, and the quarterback is the CEO – keeping compliance on the agenda for weekly staff meetings, looking across to the business leaders, not the CISO, and asking the questions that drive the actions in the RACI matrix: “Are we compliant with privacy requirements, Head of Sales? Have you reviewed and concurred, General Counsel? Have we done step one, to know what personal information we have, where we have it, that it meets our stewardship obligations, CIO?”
These are the specifics needed to understand your company’s cyber resiliency. It will take a lot of hard work. Some leaders might need to sign up for a course, to brush up on security requirements, and make a point to work more closely with the CISO. That’s good. That’s called playing like a team. Leadership means knowing what questions to ask, of whom to ask them and to know how to verify the answers. Only when cybersecurity compliance becomes part of mainstream management practices will we see fewer breaches, and fewer headlines with CEOs wondering, “what just happened?”