Once upon a time, it was invariably the CIO or other technology executive who took the fall for a technology mishap so serious that it actually damaged the firm and its reputation.
These days, however, the blame goes increasingly right to the top, given the massive financial, brand, and even legal damage organisations risk today.
For one thing, as we’ve all seen over the past decade, but especially in the past five years, cyber events are now mainstream news across the world. And in Australia and elsewhere, there are increasingly harsh penalties for organisations that don’t report cyber-attacks to their customers and the regulators. Meanwhile, in late June 2021, Australia’s Labor opposition party sought to table a bill that would see organisations that pay ransomware attackers actually hit with fines.
Suffice to say, there is no hiding from - and no excuse for - major cyber-attacks for anyone in the senior executive, and that includes the CEO.
A possible upside to this situation is that senior executives have more reason than ever to have closer communications with their CSIO, CIO, or another tech leader responsible for cybersecurity.
It’s certainly a trend we’re already seeing more broadly since the pandemic elevated technology leaders to a status they’ve never enjoyed before.
But it’s absolutely imperative now that business leaders fully understand the increased tempo and greater sophistication of today’s cyber environment and what their senior tech leaders – and their teams – are doing to mitigate the risks.
There are many obvious reasons for doing so, but perhaps the most glaring is just how much value of today’s organisations is in the form of intellectual property, and other critical data which mainly exists in digital form.
Consider this, from the mid-70s to 2018, there has been a dramatic shift in the balance between so-called ‘tangible’ and ‘intangible assets reported by the five biggest companies in the world at the time.
In 1975, the five biggest companies of IBM, Exon Mobile, Proctor and Gamble, GE, and 3M had a combined $594 billion in tangible assets, versus $122 intangible. Fast forward to 2018, and Apple, Alphabet, Microsoft, Amazon, and Facebook were estimated to own a combined $US4 trillion in tangible assets, but with intangible assets worth a colossal $US21 trillion.
These are indeed different times we’re in, and just as tech leaders have been called upon to help firms adjust to the new reality of work, the new reality of cybercrime means they have a bigger role to play than ever in protecting the firm from possible disaster.
And the CEO needs to have them at the table and listen to them.
For many companies, cyber security remains something that is addressed by merely checking boxes and ensuring basic compliance and regulatory checks are met. But of course, this is not enough today, and as many CEOs have learned the hard way, it’s not enough to protect their jobs in the event of a major breach.
Top CEO cyber security fails
While the c-suite today is far more alert to the risks of cyber-attacks and their wider repercussions, it’s worth reflecting on some of the more spectacular CEO career fails they have wrought over the years.
Remember back in 2013 when Target managed to spill the credit card and payment details of 40 million customers? Then CEO Greg Steinhafel was forced to fall on his sword a few months later as an outraged public – and investors – demanded there be consequences.
A year later, in later December 2014, Sony Pictures found itself in a huge pickle when it emerged hackers had leaked film releases and other highly sensitive information including employee information and personal emails, including those by then co-chairman Amy Pascal, who was exposed criticising then US president Barrack Obama and a number of Hollywood actors, leading to her resignation after just a few months.
But perhaps the main contender for the biggest ever cyber security fail is credit reporting firm Equifax’s monumental debacle in September 2018 when it managed to expose the names, birthdays, addresses, driver’s license and social security numbers of 145 million people. Then CEO, Richard Smith lasted less than a fortnight after that whopper.