Cybersecurity Breaches and Leadership by Kimble Lewis

Cybersecurity Breaches and Leadership by Kimble Lewis

Albeit eliminating cyber threats are impossible, protecting against the threats are something that can be controlled, and needs to be a top leadership issue.

Cybersecurity, according to Merriam-Webster Dictionary, is “the measure taken to protect a computer or computer system…against unauthorized access or attack.” McKinsey & Company goes further to define cybersecurity as “the protection of valuable intellectual property and business information in digital form against theft and misuse” (McKinsey, 2011).

What is the current state of affairs in cybersecurity breaches?

Patricia Lenkov, Global Search Practice Head at N2growth, shared insight into the current state of affairs in corporate cybersecurity challenges.

Consumer Markets:

Target Corporation: Gregg Steinhafel, former Chairman and CEO stepped down in June of 2014 due to the continued fall-out from 2013 massive data breach, where up to 110 million consumer records were compromised.

Neiman Marcus reported that they were working with the U.S. Secret Service to investigate compromised credit card activity. Apparently, the hackers moved undetected in the company’s computers for more than 8 months.

Financial Institutions:

In June of 2014, two hackers pleaded guilty to accessing accounts at Citibank, JP Morgan Chase, PayPal, TD Ameritrade, the U.S. Department of Defense, TIAA-CREF and others to defraud these companies and their customers of more than $15 million.

In 2008, thieves attacked 2,100 ATMs across the globe and within a 12-hour window and stole more than $9 million in cash. The FBI reported the attack “started when a 28 year old Moldovan man learned of vulnerability in the computer network of a major credit card processing company based in Atlanta.”

Who should lead here?

Interestingly, there is a debate on who should be accountable. Some say the CEO is solely responsible. Some say the Board of Directors and its Risk Committee (if they have one) are responsible. Some say others like the Chief Technology Officer or Chief Information Officer should carry the weight of responsibility. McKinsey & Company asked a very important question in a recent article as it relates to leadership around cybersecurity when they asked “Who is responsible for developing and maintaining [the company’s] cross-functional approach to cybersecurity? To what extent do business leaders (as opposed to IT or risk executives) own this issue?

There are four functions of management where a leader is expected to be effective in delivering value:

  1. Planning
  2. Organizing
  3. Leading
  4. Controlling

In the case of Target Corporation, Gregg Steinhafel, the chief business leader, failed in his leadership responsibilities. Think about it, as Chief Executive one desires to produce significant shareholder value, win groundbreaking EBITDA, secure the business’ brand leadership in service, quality, and price, win over wall street analysts, crush the competition, build an admirable corporate social footprint, make industry-leading efficiencies, and continuously seek to integrate technologies into operations to establish benchmark competitive and comparative advantages.

Gregg Steinhafel failed to lead in the latter desire as chief executive. He did not have to be a technologist to ensure Target Corporation had industry-benchmark digital security. This is risk management 101. If you lead with technology in a service industry, risk questions like this need answers:

  1. What protocols are in place to ensure the company has industry-benchmark protection of valuable intellectual property and business information in digital form?

If the Chief Technology Officer or others could not give strong, verifiable, and lucid answers, then stop tendering business. I don’t want to hear, well Visa/MasterCard require each terminal to have X,Y,Z, or the online portal meets the highest security allowed. This is hogwash.

Leadership is planning for contingencies, and questioning everything. Leadership is making decisions on smart costs in business. Smart costs in ensuring data security should be clearly argued as a necessary component, during analyst calls or shareholder meetings, to delivering a secure world-class buying experience.

What does winning look like now and in the future?

Google is benchmarking cybersecurity. Hot off the press, Parisa Tabriz, Google’s Security Princess and her team of 30 engineers are mandated to focus on sniffing out and fixing security threats to Chrome, thinking and acting like a criminal (Business Insider, 2014).  Their job is to find holes or security bugs in Chrome, write a fix, and push updates to all users.

Does this mean Larry Page, CEO of Google, is a technologist? No. Does this mean Parisa was ordered to be creative and counterintuitive with ensuring the safety and security of Google Chrome’s data? I am not sure, but Parisa is surely leading here.

What I admire about Parisa is her audacity to lead, given so many moving parts. I am not a technologist, but I am a leader, and I know excellence when I see or hear it. No matter if her team wins or fails the fact that she has a bias toward thoughtful action is what impresses me. From what I see, Parisa seeks to become intimately knowledgeable of the attacker, the hacker, the enemy. This is tangible creativity. This is 21st century warfare, taking it to the enemy. I love it!

Parisa and her team are creating, what I coin, industry-benchmark behaviors that would work well in being duplicated in consumer markets and financial services, where valuable intellectual property and business information in digital form is ubiquitous.

About the Author

Kimble Lewis is Global Executive Editor for Kimble Lewis & Company’s Insights and Publications. He serves as Chairman, President, and Chief Executive Officer of Kimble Lewis & Company, an American global diversified holding company headquartered in New Jersey, United States.

Brief Message to Reader

I write this article, not as a technologist, but as a leader who is quite efficient in the four functions of management, and who appreciates that certain management and leadership functions just cannot and should not be delegated.

If in the same situation as Gregg Steinhafel, or as CEO of a public corporation, could I have done a better job?

Yes.

Since Target boards of directors are seeking Gregg’s replacement, why not introduce them to my leadership brand.

References:

“Cybersecurity.” Merriam-Webster.com. Merriam-Webster, n.d. Web. 12 July 2014. http://www.merriam-webster.com/dictionary/cybersecurity

Kaplan.J, Weinberg.A, Shantnu.S. (2011, June). Meeting the cybersecurity challenge. McKinsey.com. Retrieved July 12, 2014, from http://www.mckinsey.com/insights/business_technology/meeting_the_cybersecurity_challenge

D’Onfro, J. (2014, July 12). Google’s “Security Princess” Leads A Team Of Hackers Paid To Think Like Criminals. Business Insider, 1-5