Executive management is typically focused on how to grow a company’s revenues and increase shareholder value. Today, executives also need to focus on protecting the company’s IT systems to retain shareholder value. As recent events at Yahoo have shown, the executive team was primarily focused on increasing the sale price of the company. Had the management team taken sufficient time to ensure that their information technology systems were secur—rather than focusing on increasing the company’s valuation—shareholders would have enjoyed a far better outcome. To date, the security breach has cost Yahoo shareholders $350 million which Verizon took as a discount to their purchase price due to the IT security breach. This also cost Yahoo’s Chief Legal Counsel his job and CEO Marissa Mayer her annual bonus.
Why did the Chief Legal Counsel lose his job when it was an IT security breach? IT breaches, usually falling within the domain of the company’s CTO, CSO or CIO, affect data which compromises customer information. That falls squarely under the responsibly of Chief Legal Counsel who has primary responsibility to ensure that customer information is protected. An important lesson to learn from this event is that executive management needs to be in tune with middle management and IT personnel requests and needs—especially when it comes to IT security.
Being in the industry for 30 plus years, I have attended countless meetings where recommendations have been made to protect a company’s networks and information, only to find that executive management feels that the costs are too high or would rather spend money on other parts of the business where they can see a clear return on investment. Typical answers I hear from corporate executives when asked about IT security are: “Our IT department handles that” or “You need to talk to our IT guy.”
What does that mean? Executives must have some basic knowledge regarding IT security to give shareholders assurance that the company’s IT systems are protected. Would an executive give the same type of answer if asked, “How does the company ensure that proper accounting practices are followed?” The same scrutiny executives give to ensure that a company’s financial records are in order should apply to IT security. In the case of Yahoo and a myriad of other companies that have suffered breaches, executives cannot pass the buck when it comes to IT security and can’t always make decisions based solely on a return on investment when it comes to securing IT systems.
In retrospect, would Yahoo’s CEO have approved additional security measures to protect customer information regardless of the cost? Even assuming those measures cost $35 million to harden Yahoo’s systems, that cost is “a drop in the bucket” compared to the $350 million valuation that Yahoo lost. Furthermore, it is quite likely that those funds are now being spent to harden their IT systems as a condition of the sale to Verizon.
While there are no unbreachable systems, companies can significantly mitigate risks by providing security with layers to protect valuable and sensitive data. Recognizing and accepting that there is no magic bullet that will make this problem go away, getting middle management and IT personnel involved in the decision making process—identifying the types of expenses that will enhance mitigation—will go a long way toward protecting corporate systems.
In summary, executives should not and cannot roll the dice when it comes to information technology and security. Experts must do their job when it comes to protecting a company’s data by using the most updated tools available to combat these challenges. IT security threats change daily and security technology becomes obsolete very quickly as hackers study what is out in the marketplace and figure out how to exploit system vulnerabilities. IT security measures must be changed often and should be layered to keep hackers from figuring out what you have introduced to mitigate their attacks.
The Yahoo example should put all executives on notice that their company can be next. Executives need to make IT security a priority and not just a line item in a report.
Richard Picolli, CISSP, is the president and owner of GTBM Inc., a computer technology, radio communications and software development firm with over 30 years of experience serving the needs of municipalities, police agencies, and corporations with software, hardware and network integration services. Mr. Picolli has developed several patented technology products, including software that has gained Designation and Certification by the Department of Homeland Security as a Qualified Anti-Terrorism Technology under the Safety Act, and he is recognized throughout New Jersey for his leadership in creating and deploying technology and services to support critical communications infrastructure for public safety purposes.