Since the rise of data breaches 11 years ago – when AOL was the first major company to be compromised, with 92 million screen names and email addresses stolen – numerous senior executives have lost their jobs, including:
- Huge data breach prompts resignation of top US official – Most recently, the director of the US Office of Personnel Management (OPM), Katherine Archuleta, has resigned after a massive data breach involving more than 20 million people.
- Sony executive resigns post in wake of data breach – Amy Pascal, co-chair of Sony Pictures Entertainment, stepped down from her executive posts in May 2015 after her emails were leaked to the public in Sony’s data breach.
- Target CEO Gregg Steinhafel resigns in data breach fallout – Steinhafel stepped down after his much-criticized handling of Target’s data breach, which affected 40 million shoppers’ credit card details and 70 million customers’ personal data.
- Target CIO Beth Jacobs also resigns – Target chief information officer Beth Jacobs also resigned as the retailer overhauled its information security and compliance division in the wake of the data breach.
- Director of Maricopa district’s information technology department fired – Miguel Corzo, the director of the district’s information technology department, was fired in 2014 after the Maricopa County Community College District suffered a breach in which hackers penetrated the computer defense infrastructure, compromising 2.5 million current and former students’, employees’, and vendors’ personal information.
- Texas State Comptroller’s office fired a number of information security executives – The Texas State Comptroller’s office fired an undisclosed number of information security executives following a data leak that exposed Social Security numbers, driver’s license numbers, names, and addresses of more than 3.2 million Texans. The data, which should have been transferred in an encrypted manner by agencies under Texas administrative rules, was in fact transferred in an unencrypted manner.
Data breach – who’s to blame?
A survey conducted by AlienVault of over 1,000 individuals at RSA 2015 revealed that 38.8% of respondents believe the CISO should be the fall guy in the event of an incident occurring. The CEO (24%), CIO (26%), and VP of IT (24%) were considered almost equally accountable.
Although there is a lack of unanimity as to who is ultimately responsible, the report indicates a common perception that a senior executive should take the blame if an organization is breached. This points to the fact that cybersecurity is increasingly seen as a business issue, rather than just an IT one.
Tips for safeguarding your job
If you are directly involved with implementing information security practices, handling sensitive data, or in charge of any of these procedures, then take note. Here we offer advice on how best to handle yourself before, during, and after a data breach:
- Take basic cybersecurity measures: Use strong passwords, encrypt any sensitive information, and update software regularly. Even though these are some of the most basic measures you can take, they are often the most ignored, causing some of the most severe data breaches.
- Regularly test your systems: Whether you have an in-house team of specialists or you out-source CREST-accredited penetration testers, it’s really important to conduct regular testing of your systems to check for vulnerabilities and fix them before hackers are able to find them.
- Be quick to respond: By doing the above, you’ll be able to quickly respond to any threats you do find, which will reduce the severity of a breach significantly.
- Be honest with the board: If you do find a threat, then report it to the board/your manager straight away. There’s no point sweeping it under the carpet, as these things tend to get out all by themselves, and then you’ll look even worse if you weren’t the one to find it – or you knew about it but didn’t report it.
- Give regular updates: Keep things transparent with the board by giving them updates on what you are doing to fix the situation, how it is being resolved, and when it will be fixed. This communication plays a key role in how your company will communicate with the rest of its staff, customers, and stakeholders; your information here is vital.
Address the threats facing your organization as a whole
Information security affects the whole company and is a responsibility shared by all staff, but corporate information security is often hindered by a lack of adequate communication between the security team and the rest of the organization.
Information Security A Practical Guide – Bridging the gap between IT and management provides an overview of basic information security practices that will enable your security team to better engage with their peers to address the threats facing the organization as a whole.
Covering everything from your first day at work as an information security professional to developing and implementing enterprise-wide information security processes, Information Security: A Practical Guide explains the basics of information security, and how to explain them to management and others so that security risks can be appropriately addressed.