To Improve Cybersecurity, Fire Some CEOs
Despite the amazing number of cybersecurity breaches, so far the Target CEO appears to have been the only one to pay the price. While we hear some calls for the removal of the Anthem CEO, few are talking about the main cybersecurity threat in any enterprise – the organization chart.
In the most glaring example of a breach, Anthem failed to protect the data of 80 million people – 25 percent of the U.S. population! Many of them are children and may not know of the problems they will face until several years from now. Yet the CEO and executive vice president and chief administrative officer who are in charge of IT and cybersecurity have not lost their jobs. There appears to be no accountability. I am not sure, however, that removing these officers will fix the problem unless the main problem – the org chart – is repaired at the same time.
Look at Anthem organization chart and it is glaringly apparent that Anthem has no CIO in the CEO’s cabinet (see image). In her job description, Anthem's EVP and CAO Gloria McCarthy is said to be responsible for IT. However, she is clearly not the CIO or the chief information security officer (CISO). Yet, Anthem says, she makes the final decisions on IT and cybersecurity. You will find Legal and Human Resources reporting to the CEO; obviously these are strategic positions in the CEO's mind. However, IT is clearly not strategic in this organization. It is viewed as a cost center and, therefore suffers from a perennial pressure to spend as little as possible.
During my doctoral research in 2013, I found that about half of US healthcare CEOs run their IT and cybersecurity through their chief financial officer (CFO) or some other executive. Later in my book Cybersecurity Leadership (2014), I discussed why this organizational structure is dangerous. I also explained the roles of the modern CIO and CISO. Yet in mid-2015, as I analyze breach after breach I find leadership and governance breakdowns, flawed organizational structures, lack of due diligence, an apparent inability to follow legal requirements, and a basic failure on the part of CEOs to embrace cybersecurity risk as their business risk.
Their focus seems to have been on making sure they have cybersecurity insurance and a strong stock price rather than protecting the vital data of their customers and clients. They tend to forget cybersecurity insurance does not protect their clients from the lifelong impact a breach is likely to cause.
It also appears that these CEOs have the "we sell hammers" mentality and fail to realize IT and cybersecurity risks are their business risks of today. I have now concluded that any CEO who still runs their organizations in this manner must be removed immediately so the right CEO, one who can fix the organization, can be hired. These regressive CEOs are the most dangerous cybersecurity threat to their organizations – they are using bus drivers without pilots' licenses to fly airplanes and putting everyone’s lives at risk. Until appropriate CEOs are hired, the correct CIOs or CISOs at the right empowerment and qualification level will not get hired. And the problem will perpetuate. This dangerous practice needs to stop now!
About the Author
Dr. Mansur Hasib is the only cybersecurity and health information technology professional in the world with 12 years experience as Chief Information Officer, a Doctor of Science in Cybersecurity, and the prestigious CISSP, PMP, and CPHIMS certifications. A global thought leader, Dr. Hasib has led technology and cybersecurity strategy for almost 30 years in healthcare, education, biotechnology, and energy. He is a frequent speaker at local, national, and international conferences. For his doctoral dissertation in 2013, Dr. Hasib conducted a national study in US healthcare and examined the relationship between cybersecurity culture and cybersecurity compliance. He shares these results in a book titled Impact of Security Culture on Security Compliance in Healthcare in the USA. In September 2014, Dr. Hasib published the new edition of Cybersecurity Leadership: Powering the Modern Organization. In this work he shares his cybersecurity leadership and governance model and life-long learning with many examples drawn from his practical experiences, research, and observations. His leadership model is applicable in any organization. Dr. Hasib served as Chief Information Officer at the Baltimore City Health Department and within the University System of Maryland for 12 years. He currently teaches and mentors the next generation of organizational executives at several US universities. Contact Dr. Hasib via his website: www.cybersecurityleadership.com