What Will We Do About the Cybersecurity Pearl Harbor?
When I first started to equate the massive and consequential breaches suffered during the recent past with multiple Pearl Harbors, a few people thought I was over dramatic and asked me to tone it down. Really? Are you serious? One third of the US population’s data has been compromised – and that includes over 21 million people holding the nation’s most sensitive and consequential positions, many of whom have had to be recalled because they were outed and their lives endangered. This does not even count their relatives and friends whose sensitive data was also in the OPM database that was breached. It almost appears that since digital harm is colorless and odorless we can blithely continue to go about our business without doing anything about it.
Yes, a few years ago when I initially started to raise alarm bells, I was a lot less dramatic – and rightfully so. It was well before these massive breaches and we had plenty of time to address it. Today, though, if anyone thinks this is not a matter of national security and there is no urgency to act, they need to have their heads examined.
The big question is, of course, what should be the approach? I do not thinking firing a CEO is enough. In a previous article I raised the issue of CEO accountability. Without CEO accountability this problem cannot be fixed. Even though the mission of any modern organization today is driven by technology and cybersecurity strategy, CEO ranks are full of financial and marketing people. Only about 50 percent of CEOs have embraced the role of IT and cybersecurity and have partnered with IT and cybersecurity strategists to do the right thing for their organizations.
The remaining CEOs view technology, cybersecurity, and even people as cost centers instead of seeing them as revenue engines and productivity and innovation drivers. These people will lay off thousands of good workers just to show a profit when laying themselves off would have made better financial sense; after all, weren’t they responsible for any financial trouble their company may have?
I heard an amazing story from an ethical leader the other day, one that really hit the point home. He was chief financial officer of an organization that just hired a new CEO – one who had all the right financial credentials but no semblance of ethics or ethical leadership. Within a few weeks the CEO called in the CFO and asked him how much of a bonus they would make. The company had been highly profitable. So the CFO proudly shared the numbers and said, "We had a good year and we will make about 75 percent of the bonuses this year." To his astonishment, the CEO asked, "What will it take to earn 100 percent of the bonus?" Taken aback the CFO responded, "Wow. That would require us to lay off about 4,400 people." The CEO responded, "Get it done within two months." Although this yielded about $10,000 extra for the CFO, it yielded about $100,000 extra for the CEO – still a pittance compared to the bonus and compensation these top executives were already making. However, after this crazy and gut wrenching process of laying off 4,400 people who were directly responsible for the profits the company had made, the CFO resigned because he saw the writing on the wall : this company was doomed for the foreseeable future.
Cybersecurity equates to innovation. Without the loyalty of people, cybersecurity is unattainable. Cybersecurity cannot be achieved as long as regressive CEOs are in power. We need ethical CEOs who will share the profits of innovation and productivity with the very people who produced it in the first place. I was actually pleased to see some presidential candidates talk about this as a policy matter. But I was equally perturbed to see articles from respectable people blithely arguing for the status quo while viewing the problem through a very narrow lens. I guess some economists do not understand people. And cybersecurity is about people – not technology or even economics and we need to see this problem through a multi-disciplinary lens.
Regressive CEOs who run their IT and cybersecurity strategy through CFOs or other executives must be removed immediately before they can do more harm. If they have already caused damage, they need to be held accountable for negligence. These CEOs obviously do not understand the role of IT and cybersecurity and are driving their organizations towards a path of doom and gloom. They are also directly harming millions of people by breaching the highly sensitive data of these people that they have collected but failed to protect. So far they have been getting away with this by firing CIOs and CISOs – professionals who were not empowered to do the right thing anyway. Even pointing out issues has caused CIOs and CISOs to be fired. We also need stronger laws protecting people from digital harm – similar to laws protecting people from suffering physical harm in the workplace.
(Source: The CyberJungleRadio/YouTube)
Sometime ago I had the opportunity to discuss this issue on air with Ira Victor of TheCyberJungleRadio. Agree or disagree, please listen, share, write and speak out as loudly as you can. These are extremely important issues that we must tackle immediately! The time for passivity has long passed.
About the Author:
Dr. Mansur Hasib is the only cybersecurity and healthcare leader in the world with 12 years experience as Chief Information Officer, a Doctor of Science in Cybersecurity, and the prestigious CISSP, PMP, and CPHIMS certifications. Dr. Hasib will be speaking at CyberMaryland 2015, Oct. 29th at 10:45am where he will share the details of his innovative and holistic Master of Science and Doctor of Science programs in Business Information Technology and Cybersecurity, which are available to educational institutions globally. Attendance discounts are available. Dr. Hasib has been endorsed by several highly respected industry leaders including the SANS Institute. His book and ideas are being used at several university graduate programs as well as federal training programs. It is available in ebook, paperback and audio formats. Author-signed copies of the paperback can be purchased from Dr. Hasib’s website. Dr. Hasib has several upcoming conference presentations. To invite Dr. Hasib to speak, contact him through his website: www.cybersecurityleadership.com. Follow him on Twitter: @mhasib and connect on LinkedIn.