In a world of escalating cyber crime, heads are on the chopping block and its getting bloody. “Uneasy lies the head that wears a crown” is more true than ever for business leaders and CEOs. When Target retail suffered one of the largest cyber security breaches on record—resulting in 40+ million credit cards compromised—the Target CEO was fired after 35 years with the company. The Home Depot breach appears to be on track to have even higher losses (2,200+ stores with 56 million credit cards compromised). Outcries on social media are exerting public pressure to fire the mega retailer’s CEO and CISO (Chief Information Security Officer). Meanwhile, JP Morgan Chase acknowledged that its quarter of a billion dollar IT security spend for FY2014 was insufficient to protect the firm from a recent cyber breach.
What do all these recent headlines have in common? Large US-based companies with millions of customers’ credit cards on file are being successfully breached by cyber criminals. And the companies’ leaders have plenty to lose including their own jobs.
The consensus view among IT security professionals is that every organization has been compromised or breached to some extent, whether they know it now or discover it later. It’s the new reality. Here is a list of the top 10 “publicly known” security breaches in retail with # of customers affected by credit card theft:
|Retailer||Date||# of impacted accounts||Case description|
|TJX companies||Jan 2007||90 million||Partial compromise of payment processing systems|
|The Home Depot||Apr 2014||56 million||Point of Sales system compromise across 2,200+ stores|
|CVS Caremark||Jun 2005||50 million||Security flaw in loyalty card service exposes sensitive purchase data|
|Target||Nov 2013||40 & 70 million||Two breaches of 40M credit cards and 70M customers financial data|
|Barnes & Noble||Aug 2008||40 million||Specific retail stores were compromised to obtain credit card info|
|Sony Computer||May 2011||25 million||Stolen customer account information from an outdated database|
|Zappos (Amazon)||Jan 2012||24 million||Customer name, email, address, last four digits of credit card number|
|Deviantart||Dec 2010||13 million||Entire database of customer accounts hacked and stolen|
|Dangdang (China)||Dec 2011||12 million||E-Commerce customer account information compromised|
|BJ’s Wholesale||Mar 2004||8 million||Hackers charged fraudulent transactions against specific customers account|
The above list of breaches is staggering, and this is only a narrow subset of breaches focused on POS within the retail vertical that have been publicly disclosed. If we extend the view to other industries and include data and intellectual property (IP) theft, the number of customers with breaches increases by an order of magnitude.
My view is that it’s unfair to assume that all of these companies’ IT security protection was simply full of holes due to negligence or not following best practices. I believe most IT teams did what they could within the confides of their roles within these companies. Despite a measured increase in IT security spending ($76.9B USD annual spend in security products and services by 2015 — Gartner) over the past 10 years, cyber security protection has gotten worse for businesses in almost every measurable category. The budgets have increased but I would argue cyber security remains relegated to IT departments as one of many challenges they must tackle.
One question that the Target incident raises: When your organization is hacked and customer data compromised, should our response as shareholders be to fire the CEO—even as we acknowledge that almost every organization is compromised to some extent? Should the CEO be looking to fire her CISO and head of IT because it happened on their watch?
Like most complex questions, I think the answer really depends on the situation.
Perhaps Target’s CEO and his cadre of reports were negligent, particularly with subcontracted employees maintaining the store’s HVAC (heating, ventilation and air conditioning) systems. Those employees checked email unknowingly laced with malware and gave up their credentials for managing an internal HVAC system. This action set in motion the initial breach that migrated to Target’s POS (point of sales) systems.
Here is my favorite depiction of the anatomy and workflow of the Target breach (kudos @ChrisPoulin):
This is not easy to understand due to the complex nature of the systems under attack. The stakes are high for cyber security. Business owners are being held accountable when companies lose their customers’ financial data and trust. Firing CEOs is simply a wake-up call.
Risk management needs an overhaul when it comes to incentives. Overall, we have a lots of innovation coming from the Next Gen [fill in the blank] (pick any: anti-X, DLP, endpoint protection, firewall, IDS, IPS, proxies, SIEM, etc) funded heavily by venture capital firms. Examples of a few Venrock investments: CloudFlare provides DDoS protection as a service to even the smallest companies around the world and its recent release of Keyless SSL has the potential to be game-changing for Internet encryption. Shape Security brings a new class of Bot Firewall for web application protection. VeloCloud has created the first Cloud-delivered WAN that includes branch firewall and VPN encryption as a service. I think it’s critical to continue to fuel these types of security technology innovations.
However, where are the offerings that change business leaders’ fundamental motivations?
In the past, most business leaders viewed cyber breaches as being akin to shark and bear attacks: scary but relatively rare occurrences that happened out in the wild somewhere. Today, cyber attacks are becoming so commonplace that they’re considered more like auto accidents or flooding: events that happen all the time and range from minor to career/life-ending. Few of us would want to build our home in a known flood zone (high risk undertaking). None of us drive our cars without being licensed (third-party assessment) and insured (accident protection). It’s time to extend that same attitude to ‘driving’ a business.
Cyber insurance has remained a fairly niche industry since its inception in 1997. But the past two years has seen a dramatic rise in cyber insurance products and underwriting. This change offers the opportunity to shift cyber risk management decisions to business executives, not just IT departments, with the incentive being to lower premium costs and increase coverage breadth. Having this deeper motivation for financial risk/reward, while simultaneously strengthening IT security, is a useful tool. When applied properly, cyber insurance expenditures and the continuous risk assessment rating to gauge coverage can force cyber security to stay forefront in the mind of CEOs and business leaders.
Bottom line: Whether it’s fair or not, CEOs are being held accountable for cyber incidents. Business owners generally operate at a disadvantage compared to their adversaries. Cyber criminals are highly motivated by a financial risk/reward model that tilts in their favor. To help turn the tide and reverse our losing trend in cyber security, let’s arm the good guys with a better risk/reward model of their own. Cyber security should be a business initiative that CEOs can understand and own, instead of treating as one of many IT challenges. Promoting continuous security improvements motivated by meaningful financial incentives for cyber insurance coverage/pricing is a step in the right direction.