The Yahoo Lesson for CEOs: Bring your CISO into the Boardroom4 min read
If you view your CISO as a techno-nerd, capably managed by the CIO and therefore someone the board doesn’t need to make time for, think again.
Poor cybersecurity poses an existential threat to your business. That makes it a board-level matter which demands close attention and priority resourcing. You undervalue your gatekeeper at your peril.
Cybersecurity is an operational issue, not an IT one, so your security mastermind must be established, accountable, and independently funded. Delegation can be dangerous when it comes to responsibility for security breaches: just ask former Yahoo CEO Marissa Mayer.
It is now just a year since Yahoo reported two major hacks, one in 2013 and one in 2014, which compromised a total of 1.5 billion customer accounts. That delay, which is still under investigation by the Securities and Exchange Commission (SEC), exacted a heavy price. The company’s share price dropped immediately and plunged the Verizon takeover deal into uncertainty, while Mayer forfeited her annual bonus and stock award.
Where did Yahoo go wrong?
Yahoo made a series of fundamental errors which exposed the company to attack in the first place and then compounded the damage. In short, cybersecurity was not on the C-Suite’s agenda because the people at the top fatally underestimated the destructive potential of a hack.
Firstly, Yahoo took too long to hire a CISO, and then the company failed to bring its security specialist into the inner circle, meaning some top-level decisions are likely to have been ill informed. For example, the CISO may not have been told about a secret program Yahoo installed on behalf of the government to scan users’ emails.
If a company sees cybersecurity as a business barrier instead of the business enabler it should be, then the CISO will inevitably be well down the pecking order for resources. Switch the thinking and you transform the CISO from a hindrance into a potent business asset.
The mind-set was simply wrong at Yahoo. Despite multiple vulnerabilities being noted by internal security teams, there was no appetite or financial backing for controls to be put in place. Some data was encrypted using secure algorithms while other data was plaintext or insecure, and the company also lagged behind other Silicon Valley heavyweights in implementing technologies such as end-to-end encryption and bug bounty programs.
Then, when the first attack was discovered, users were not immediately forced to change passwords. This is a prime example of the company’s poor attitude to cybersecurity. The SEC and the public were kept in the dark for two years. There was no action plan to contain the damage, no investigation to learn the lessons, and no communications strategy to protect consumer confidence.
Four lessons for industry
- IT security needs proper investment and commitment from the board. Just because you have appointed a CISO, it does not mean you can ignore the issue. Empower your CISO to protect the organization.
- Conduct detailed IT security due diligence during any takeover. You are buying data assets along with a company and you need to know whether any lax security might come back to bite you.
- Tell users and the authorities about any security breach at the earliest opportunity. Not only is that the ethical thing to do, but the rules demand it.
- Own the problem. Taking responsibility and communicating effectively can save a great deal of pain and ensure that reputational damage is minimized.
How safe is your organization?
The easiest way to determine whether your company has a healthy cybersecurity culture is to look at where the CISO sits in the organization.
When a CISO reports directly to the CEO, the C-Suite has a better understanding of the issues, is better invested in minimizing the risks and planning damage limitation, and therefore less likely to fall foul of a Yahoo-style scenario.
You also avoid any conflict of interest between the team responsible for implementing IT projects and the specialists charged with protecting the organization.
- Choose a CISO who can articulate business risk
- Make room for the CISO at the top table
- Resource the role properly
- Have a clearly defined action plan in case of a breach
Cybersecurity is a business risk, so treat it like one.