Opinion: To enhance cybersecurity, fire CEOs who don't view it as a business risk

Cybersecurity is certainly a key priority for CIOs and CISOs, but the responsibility of safeguarding data perhaps shouldn't solely lie within the IT department. In an opinion piece in Enterprise Tech, Manur Hasib, DSc, a cybersecurity and health IT professional, writes that CEOs too often don't face consequences following a data breach.

After retail giant Target suffered a massive data breach in 2013 affecting 40 million consumers, then-CEO Gregg Steinhafel stepped down from his position. Dr. Hasib notes Mr. Steinhafel is the only CEO of a breached organization to, in his words, "pay the price."

No consequences have befallen the executive leadership at Indianapolis-based Anthem, where a cyberattack compromised the health data of nearly 80 million individuals. "There appears to be no accountability," Dr. Hasib writes.

The issue here, according to Dr. Hasib, lies in the organizational flow of leadership. At Anthem, CIO and executive vice president Thomas Miller is not listed as part of the CEO's cabinet. Gloria McCarthy, Anthem's executive vice president and chief administrative officer, is deemed responsible for IT.

"IT is clearly not strategic in this organization," Dr. Hasib writes. "It is viewed as a cost center and, therefore, suffers from a perennial pressure to spend as little as possible."

Dr. Hasib says it is a failure on the part of CEOs to not consider cybersecurity risks as business risks of today. "Their focus seems to have been on making sure they have cybersecurity insurance and a strong stock price rather than protecting the vital data of their customers and clients. They tend to forget cybersecurity insurance does not protect their clients from the lifelong impact a breach is likely to cause," he writes.

According to Dr. Hasib, CEOs who don't prioritize cybersecurity and consider it a business risk are the most dangerous cybersecurity threat to their organizations, illustrating them as "bus drivers without pilots' licenses [flying] airplanes."

Dr. Hasib concludes, "Any CEO who still runs their organizations in this manner must be removed immediately so the right CEO, one who can fix the organization, can be hired…Until appropriate CEOs are hired, the correct CIOs or CISOs at the right empowerment and qualification level will not get hired. And the problem will perpetuate."

Dr. Hasib is currently vice president and division director of cybersecurity, engineering and telecommunications at The Centech Group. He previously served on the cybersecurity faculty at Carnegie Mellon University in Pittsburgh and was CIO of the Baltimore City Health Department and CIO and CISO of University of Maryland Biotechnology Institute. Dr. Hasib holds a Doctor of Science in Cybersecurity from Capitol College.

More articles on cybersecurity:

Cybersecurity firm Rapid7 files for $80M IPO: 3 things to know
White House launches "30-day Cybersecurity Sprint"
Feds hit with second cyberattack compromising PHI for millions

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months