News & Insights for the AI Journey|Tuesday, May 21, 2019
  • Subscribe to EnterpriseAI Weekly Updates:  Subscribe by email

To Improve Cybersecurity, Fire Some CEOs 

(Source: Shutterstock - Ollyy)

Despite the amazing number of cybersecurity breaches, so far the Target CEO appears to have been the only one to pay the price. While we hear some calls for the removal of the Anthem CEO, few are talking about the main cybersecurity threat in any enterprise – the organization chart.

In the most glaring example of a breach, Anthem failed to protect the data of 80 million people – 25 percent of the U.S. population! Many of them are children and may not know of the problems they will face until several years from now. Yet the CEO and executive vice president and chief administrative officer who are in charge of IT and cybersecurity have not lost their jobs. There appears to be no accountability. I am not sure, however, that removing these officers will fix the problem unless the main problem – the org chart – is repaired at the same time.

Look at Anthem organization chart and it is glaringly apparent that Anthem has no CIO in the CEO’s cabinet (see image). In her job description, Anthem's EVP and CAO Gloria McCarthy is said to be responsible for IT. However, she is clearly not the CIO or the chief information security officer (CISO). Yet, Anthem says, she makes the final decisions on IT and cybersecurity. You will find Legal and Human Resources reporting to the CEO; obviously these are strategic positions in the CEO's mind. However, IT is clearly not strategic in this organization. It is viewed as a cost center and, therefore suffers from a perennial pressure to spend as little as possible.

Anthem's org chart

Anthem's org chart

During my doctoral research in 2013, I found that about half of US healthcare CEOs run their IT and cybersecurity through their chief financial officer (CFO) or some other executive. Later in my book Cybersecurity Leadership (2014), I discussed why this organizational structure is dangerous. I also explained the roles of the modern CIO and CISO. Yet in mid-2015, as I analyze breach after breach I find leadership and governance breakdowns, flawed organizational structures, lack of due diligence, an apparent inability to follow legal requirements, and a basic failure on the part of CEOs to embrace cybersecurity risk as their business risk.

Their focus seems to have been on making sure they have cybersecurity insurance and a strong stock price rather than protecting the vital data of their customers and clients. They tend to forget cybersecurity insurance does not protect their clients from the lifelong impact a breach is likely to cause.

Mansur Hasib

Mansur Hasib

It also appears that these CEOs have the "we sell hammers" mentality and fail to realize IT and cybersecurity risks are their business risks of today. I have now concluded that any CEO who still runs their organizations in this manner must be removed immediately so the right CEO, one who can fix the organization, can be hired. These regressive CEOs are the most dangerous cybersecurity threat to their organizations – they are using bus drivers without pilots' licenses to fly airplanes and putting everyone’s lives at risk. Until appropriate CEOs are hired, the correct CIOs or CISOs at the right empowerment and qualification level will not get hired. And the problem will perpetuate. This dangerous practice needs to stop now!

About the Author

Dr. Mansur Hasib is the only cybersecurity and health information technology professional in the world with 12 years experience as Chief Information Officer, a Doctor of Science in Cybersecurity, and the prestigious CISSP, PMP, and CPHIMS certifications. A global thought leader, Dr. Hasib has led technology and cybersecurity strategy for almost 30 years in healthcare, education, biotechnology, and energy. He is a frequent speaker at local, national, and international conferences. For his doctoral dissertation in 2013, Dr. Hasib conducted a national study in US healthcare and examined the relationship between cybersecurity culture and cybersecurity compliance. He shares these results in a book titled Impact of Security Culture on Security Compliance in Healthcare in the USA. In September 2014, Dr. Hasib published the new edition of Cybersecurity Leadership: Powering the Modern Organization. In this work he shares his cybersecurity leadership and governance model and life-long learning with many examples drawn from his practical experiences, research, and observations. His leadership model is applicable in any organization. Dr. Hasib served as Chief Information Officer at the Baltimore City Health Department and within the University System of Maryland for 12 years. He currently teaches and mentors the next generation of organizational executives at several US universities. Contact Dr. Hasib via his website: www.cybersecurityleadership.com

About the author: Alison Diana

Managing editor of Enterprise Technology. I've been covering tech and business for many years, for publications such as InformationWeek, Baseline Magazine, and Florida Today. A native Brit and longtime Yankees fan, I live with my husband, daughter, and two cats on the Space Coast in Florida.

5 Responses to To Improve Cybersecurity, Fire Some CEOs

  1. Alison Diana

    I’m surprised more CEOs are not held accountable, give Sarbanes-Oxley. It also continues to surprise me that so many CIOs report to the CFO, at a time when technology is so integral to the success of an organization, when tech is part of practically everything every organization must do, and digitalization/consumerization are atop even boards’ minds. That said, if an IT department is solely focused on making sure the lights are on, it plays into the role of cost center, not transformer.

     
  2. Joseph Klein

    Does anyone have a list of fortune 500 companies which have IT and Security reporting to the CFO?

     
  3. Alison Diana

    I am not sure, Joseph, but that would be a fascinating report. It’s probably something you could figure out via Advanced Search on Linked In but may be something Mansur has already done for his doctorate or in one of the university courses he teaches. Mansur, do you know of such a list?

     
  4. Mansur Hasib

    The mess exists all over. This is why I finally concluded that without the right CEOs, the right CIOs will never get hired and the right cybersecurity environment will never happen. Some organizations hired CISOs and made them report to CEO, while the CIO remained lower – which is an even bigger mess. There have been many surveys done. This is one I found:
    http://www.vell.com/blog/topics/456-fortune-500-cio-succession-%E2%80%93-who-do-cios-report-to-now

     
  5. Rachel Phillips

    I agree with these companies need to face consequences as encryption is very very basic security. It doesn’t take a CIO to make sure these basic protections are used. This is just simple and horrifying negligence.

     

Add a Comment

Do NOT follow this link or you will be banned from the site!
Share This