After Target: a cultural sea change in the C-suite
January 2015 | EXPERT BRIEFING | RISK MANAGEMENT
There is a spectre haunting all of Europe. In contrast to the revolutions of 1848, however, it’s not just Europe, and it’s not the spectre of communism. Instead, it’s the spectre of cyber attacks like those recently suffered by the US department store chain Target that are haunting corporate boardrooms and C-suites all over the corporate world.
Indeed, until early 2014, when the disclosures of the cyber attacks on Target became the topic of discussion, most chief executive officers (CEOs) had a tendency to pay little attention to their chief information security officers (CISOs) or equivalents, chief information officers (CIOs) or chief technology officers (CTOs). Many senior corporate executives were inclined to view the CISO as a ‘cost centre’ or worse, as a ‘bearer of bad news’ who was to be avoided. That attitude persisted as long as the C-level executives thought that their CISO was doing his or her job because the firm was unaware of widespread thefts of intellectual property or of personally identifiable information of large numbers of customers or investors whose data were stored on the company’s networks.
The Target CEO’s resignation, following the cascading disclosures of cyber attacks that resulted in the theft of more than 100 million customer credit cards, reverberated in C-suites and boardrooms around the world. As a result of the Target revelations it suddenly became apparent to executives, investors, traders and customers alike that the reputation of even a major corporation could be severely damaged, if not destroyed, overnight. Since the disclosure of the Target attacks, attitudes are beginning to change. For many CEOs, the CISO is no longer to be viewed as a cost centre, but as the guardian of the company’s reputation. Although a firm’s reputation may count for more in the world of financial services than in any other industry, that is a tangential difference in degree, not in kind. In other words, the lessons that should have been learned in the aftermath of the Target disclosures apply to every company of any size in every industry.
The Target revelations should serve as an indicator of the increasingly widespread awareness of how transformative cyber security is becoming and how imperative it is for the leaders of any business to make cyber security a high priority. As the ‘internet of things’ expands and transforms our daily lives, the growth of such connectedness also creates concomitant opportunities for cyber crime, as the incessant news reports of the exponential growth in cyber attacks indicate.
As we approach the anniversary of the Target attacks, it has become clear that increasing numbers of corporate executives are finally realising that each connection also represents a vulnerability. That realisation is beginning to spur on cultural changes in C-suites, where the importance of the CISO is increasingly appreciated. Now, what is required are two more sea changes: one in Congress, and one between the US and Europe. Following the mid-term elections, it would be prudent for members of both Houses of Congress to put aside partisan differences long enough to finally pass the first comprehensive cyber security statute since 2002. In addition, it would be extremely beneficial for the US government and its counterparts in Europe (and elsewhere), plus ‘trusted identities’ in their respective private sectors, to repair the cross-border ‘bridges’ burnt by the Snowden disclosures and re-focus their cyber priorities towards improving information sharing on cyber attacks – while complying with their respective privacy rules.
Ira Hoffman is a principal lawyer at Offit Kurman. Mr Hoffman can be contacted on +1 (240) 507 1723 or by email: firstname.lastname@example.org.
© Financier Worldwide