In the recent Op-Ed, Maybe We Have the Cyber Security We Deserve, Roger Grimes makes the argument that, despite the failings of current cyber security practices, there is a certain lack interest on the part of consumers with respect to the protection of their identity and data online. This attitude, Grimes argues, results from an increasing focus on incidence response rather than prevention. That is, for the average consumer, the inconvenience of stolen data is decreasing: if credit card information gets stolen, you likely won’t be responsible for fraudulent charges; if your login information is compromised, you just change your password. The impact of data breaches on consumers is often rather low, and therefore, without a catastrophic event — a ‘digital 9/11,’ as Grimes puts it — there doesn’t seem to be much urgency for comprehensive change. “We are OK with OK security,” Grimes says. And maybe, he concludes, that’s good enough.
Grimes is not wrong in diagnosing the state of cyber security as reactive rather than proactive. And it is true that incident response should play an important role in cyber security; for businesses it is crucial for mitigating larger losses and reducing overall costs. The problem with Grimes’ argument, however, is that it places the focus on the consumers rather than on businesses and their leadership. Instead of asking why users don’t care about security, we should instead ask why companies don’t care about security.
Organizations have to contend with and prioritize their position relative to risk every day. One would think that, given the scrutiny in the press after every new breach, companies would focus more on cybersecurity risk. But they don’t. The problem that Grimes neglects, however, is the the cultural and semantic disconnect between the technology and the business leadership.
The Equifax breach, for example, happened in large part because a governance structure that stilfied communication between security and IT. According to the report by the House Oversight Committee, the CSO used to report directly to the CIO, but because of personal difference Equifax decided to have the CSO report instead to legal. When others came to fill those positions, however, the structure remained the same. Therefore, according to the report, “collaboration between IT and Security mostly occurred when required, such as when Security needed IT to authorize a change on the network. Communication and coordination between these groups was often inconsistent and ineffective at Equifax.”
While Equifax’s executive structure particularly facilitated a breakdown in communication, having the CSO report to the CIO might not have been good enough. The House’s report goes on to say that “Equifax’s CEO did not prioritize cybersecurity” and that “the CSO was not considered part of the senior leadership team.” This structure therefore excluded the CSO from quarterly senior leadership meetings.
Shifting the focus to prevention requires businesses to think about the handling of private information that consumers entrust within the context of their overall enterprise strategy. And this is something that can only start at the top. An article for the Harvard Business Review emphasizes the inclusion of security executives in board meetings and other meetings about business priorities. “By including [security executives] in discussions about immediate and long-term business priorities, customer issues, and overall strategies, directors can ensure that the company’s security plan aligns with the company’s business goals.”
Roger Grimes is right, consumers have by and large accepted the inconveniences of data breaches, but the point is that it is up to businesses and their leadership to realize what is directly in from of them: technology and security is not just one aspect of the business, it is the business — and increasingly so. As Cybersecurity expert Bruce Schneier states, consumers will change their views as “Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data.” Companies would therefore do well to bridge the gap between its business and its technology, creating a proactive culture that works to protect its most critical asset: their customers.