Imagine claiming your house is secure but not knowing how many doors it has? Or that your kids are safe but not knowing where they are? Amazingly, this is what is still happening at most companies when it comes to data protection. The people in power nod affirmatively about their critical data being secure but in reality have no clue whether it is. They just hope it is.
What’s intriguing about the data breach stories hitting the news every day are the eye-opening facts that surface, like the Sony CEO’s social security number being found in 93 non-password-protected documents. 93! Think about that. Millions invested in people, technology, training…and then something analogous to a bobby pin picking a super-expensive lock turns out to be the cause of enormous and long-term damage done in some of these incidents.
Who is ultimately to blame? The CEO? The Board? At what point should cyber-security “lack of awareness” at this level be labeled “fiduciary irresponsibility” instead, followed closely behind by “personally liable”? Is this form of shaming and threat of individual liability what is needed to change executive mindset and behavior? Likely so.
When exacting change, the best place to start is along executive row, where company officers continue to get a pass for being among the biggest circumventers of security policies. And when this is happens, employees in the lower ranks always catch on quickly to the do-as-I-say-not-as-I-do attitude. The risky behavior then spreads downward, and the company’s security posture tanks. Security exemptions are essentially a perk for executives, when in reality what this does is turn a company’s senior managers into the weak links in the security chain. In turn, they become excellent social engineering targets for creative bad guys. Many major breaches occur exactly this way; some companies are ruined by it. Again, who’s to blame?
Any of us with kids knows the bewildering feeling of trying but failing to change certain behaviors and wondering, “what’s it going to take?” We really don’t want to resort to drastic action and usually do so only when all else has failed. Is this the point we’ve reached with executives in order to make them fully responsible for protecting the company’s most valuable asset? I would say yes. Nothing else has worked. Ridiculously damaging leaks and losses keep occurring every day, many of them preventable.
One’s ass being personally on the line is often what is required for some people to wake up and meaningfully change. Until then, they won’t. Entitlement, ego, lack of self-awareness and the corporate culture that insulates them all play a part in keeping things status quo. But the minute one’s own livelihood and reputation are legitimately threatened, mindset shifts will occur, and then behavior. This is unfortunately what it took to significantly reduce sexual harassment in the workplace, and the same can be accomplished when it comes to protecting a company’s most sensitive information.