Heads Will Role!
Yes, there is a misspelling in my title. It is in reference to top cyber security roles like Chief Information Security Officer, Chief Security Officer, or other equivalents being axed because of a security breach. This is sometimes counterproductive and I would argue even harmful to a company’s cybersecurity efforts, especially with such a tight market for this kind of talent and expertise.
Too many company cultures are now built around the message that "heads will roll" if there is a breach when, in fact, if threat actors are tenacious enough, they will succeed in penetrating an organization’s cyber defenses enough to steal credentials, exfiltrate data, conduct fraud, or even interfere with operations. The decision to remove organizational leaders should not hinge solely on whether security is breached but on whether those leaders presented security risks clearly and used available resources to manage those risks in line with the organization’s risk appetite through a combination or preventive measures and responsive preparations.
When a security incident happens, we need to ask what rather than if.
What protections were implemented before the incident?
What objective (i.e. 3rd party) oversight validated those protections?
What incident response and business continuity plans and procedures were in place, documented, and tested?
What actions were actually taken when the alarm was raised?
What should be done to improve security further?
Answers to these questions might establish the grounds for firing someone. Security leaders who don’t prepare their organizations to both reduce the possibility of security incidents occurring and to minimize the impact of incidents when they do occur have not fulfilled their remit and should be held accountable. Experience shows, however, that even highly mature and diligent security programs do not guarantee total protection. Any number of high-profile breaches have come to light in recent years, illustrating the fact that vulnerabilities do and will continue to exist in every network. With every resource imaginable, no organization has demonstrated total impenetrability.
Our metrics for the success of security programs, therefore, cannot be simple binaries such as Yes/No or Secure/Insecure. Their accomplishments are measured in degrees of security, in shrinking the likelihood of a breach by closing off vulnerabilities and reducing exposures until the cost of implementing further security improvements reaches or exceeds leadership’s willingness to spend more.
Further, it would be meaningless to evaluate how well-protected cyber assets are from attack without considering the organization’s preparedness to respond should (when) an incident does eventually occur. Given that one or more security measures failed to prevent the breach, did the organization react in ways that limited the damage or that made it worse? If following documented response plans minimized negative impacts, just how quickly and effectively did they do this? How much worse could things have gone, and what changes would improve response plans further?
The desire to identify a single person as culpable for harm to an organization is understandable, and the senior figure responsible for cyber security is an obvious target. In many cases, however, the primary “cause” of a security program failing to prevent a particular breach or its impacts is a communications failure. The greatest obstacle to improving security is the difficulty in helping boards and senior executives understand the threat landscape so that they can allocate resources appropriate to the level of risk they wish to take on.