Security Risk Management

The Inevitability of Security Risk in the Board Room – Steinhafel is dead, long live Steinhafel

Sonali Shah | May 8, 2014

king-is-deadOriginating from the French proclamations of Charles VII’s ascension to the throne after the death of Charles VI, “The King is dead, long live the King” speaks to the inevitability of succession. It is now not a stretch to think about the inevitability of future CEOs leaving power and ascending to power as a result of cyber breaches.

It has long been the hopeful or aspirational claim from cybersecurity experts and vendors that ‘security is now a boardroom issue’.  It was even hopeful and aspirational in 2012 and 2013 as the world began to talk about Advanced Persistent Threats.  But hope became reality when the board of directors at Target acted in the wake of its much publicized security breach. Was the breach the only reason that Gregg Steinhafel was removed?  Of course not, but make no mistake that the ouster of the CEO had much to do with the breach.  It matters not that Target Corp. actually has a comprehensive approach to security and that Steinhafel received kudos for the way he managed the post-breach fall out.

Still not convinced that cybersecurity is in the boardroom? You only have to listen to Target interim CEO, John Mulligan, answering CNN’s question about the role of the data breach in his predecessors departure: "It was a conversation between Gregg and the board." 

So how should CEOs prepare themselves now that security threats are a boardroom inevitability to be planned for (in the same way that bad quarters, law suits, and geopolitical impacts are)? Well, first they should prepare themselves for the onslaught of security champions (and the vendors lining up behind those champions!) who will expect them to care about the difference between anomaly detection and heuristics, or the benefits of format preserving encryption over traditional encryption, and other detailed security infrastructure concerns. Can you imagine the FireEye marketing campaign currently being targeted on CEOs and board members? 

But this isn’t what the CEO or the board should focus on.  Their responsibility is to hire and invest in strong security, risk and compliance teams to deliver on the strategies and tactics that ultimately minimize risk and raise the security bar. Board level discussions around security and risk must mirror the discussions on topics like revenue performance, growth, investment, etc. These discussions are always underpinned by a consistent set of objective, data-driven measurements, over time, that reflect internal performance, benchmarking against a peer-group, competitive comparison and understanding of 3rd party dependencies within the business process.  

Now that cybersecurity has, at last, earned its place at the table, it will be exciting to see how technologies and solutions are adopted by this new era of security-minded leaders in order to communicate the business value of a strong security strategy. 

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Subscribe to get security news and updates in your inbox.