Today’s breaking news around the dismissal of Ashley Madison’s CEO Noel Biderman comes as no shock following the aftermath of their recent breach. More and more CEOs are taking the blame and suffering the fallout when companies get attacked.
Katherine Archuleta, the director of the office of personnel management joined the ranks of the unemployed in July after two breaches that became a media feeding frenzy. Her promises to improve the security posture of the U.S. government’s human resources department was ultimately too little and far too late. After all, there were five previous breaches before this Mother of Personnel Records Heist.
This was no small, containable incident. The New York Times wrote that it will be a national security threat for decades to come. As the extent of the problem became clear, the White House backed off its initial support for Ms. Archuleta. Previously on June 16, spokesperson Josh Earnest told reporters that, “the president does have confidence that she is the right person for the job.” Less than a month later, she was gone.
As breaches like this continue, organizations are now hyper-focused on reducing the time it takes to regain control over their networks and preserve their business operations. The consequences are, well, consequential.
Consider the track record of what happens to business leaders after major attacks. (Hint: they needed to change their LinkedIn profiles.) Boards simply have no choice when it comes to restoring public trust and holding their executive leadership accountable for security lapses.
The litany of CEOs shown the door for opening the door to advanced target attacks include:
The HG Gary Federal attack was a double whammy, for it revealed both inadequate systems and nefarious doings. In 2011, members of the Anonymous hacktivist group compromised HBGary Federal’s networks and exposed many sensitive e-mails and client documents. Revealed plans detailed activities of intimidating journalists, planning cyber-attacks and planting misinformation, including the involvement of other companies. HBGary Federal was already in the process of selling itself after the company failed to meet revenue projections and had difficulty paying taxes and salaries. In the aftermath of the breach, the CEO resigned.
In 2011, DigiNotar’s system was tricked into issuing more than 500 fraudulent digital certificates for top Internet companies. This caused such severe damage to the company’s image and business that confidence was unrecoverable. The company went bankrupt.
After its highly publicized 2013 breach that resulted in the compromise of 40 million credit/debit cards and 70 million contact records of its customers, Target’s CEO ultimately resigned from his post. Target’s earnings continued to take significant hits after the breach, a telltale sign that consumer confidence had been impacted.
“The Interview,” a movie starring Seth Rogen that mocked North Korean leaders, resulted in the co-chairman of Sony Pictures, Amy Pascal, having to do a lot of interviews on her own.
In late 2014, Sony Pictures Entertainment was breached by suspected North Korean hackers. The hackers then publically posted personal employee data, confidential emails and other intellectual property online. The greed, venality and amorality of Hollywood biggies were unmasked by the breach, which is why Pascal had to go.
And that’s not all. In addition to Target, Sony and HBGary, the CEOs of three South Korean credit card companies promptly resigned after breaches impacted their organizations.
While it can be argued that the proliferation of hacks normalizes the event and through that inoculates management, the truth is that the risks and consequences of being breached have intensified.
With all of these examples of executives being shown the door after a hack it’s easy enough to envision a future where proficiency in cybersecurity will be mandatory for the 21st century CEO. Future c-level executives will need a deep understanding of cybersecurity and risk. Corporate boards, shareholders and activist investors will demand it, as will ISS and other governance groups.
As for lessons learned, the three things we know for sure are global organizations experience daily attacks and their most valuable IP and customer records are constantly under siege. The consequences of a major security breach are profound and far-reaching. The minutes, hours and days following a major breach, the critical moments when resiliency is tested and truth-telling is required, are the moments that often determine if C-level executives can survive to keep their job and their company safe.