When considering the consequences of a data breach, plummeting stock prices, deserting customers and diminishing brand reputations immediately come to mind. These damaging and costly repercussions impact the livelihood of a company. However, a cybersecurity incident can also adversely affect individuals within an organization, costing an employee their job, career and possibly their future.
For examples of post-data breach job casualties, look no further than recent news headlines: Equifax CEO Richard Smith suddenly “retired” after the company’s breach exposed 143 million consumers’ sensitive information, while the credit data firm’s chief information officer (CIO) and chief security officer (CSO) resigned. Similarly, after Target’s infamous 2014 breach, both the CEO and CIO were forced to step down. While these are examples of job loss at the C-level, the effects of a data breach can resonate and impact many other staff members. In fact, a Trustwave and Osterman Research survey showed that 38 percent of organizations consider a data breach that becomes public a fireable offense for IT professionals (not just the C-suite).
The problem is that today’s security and compliance professionals are extremely busy people, with high-priority projects coming in from all different departments. At the same time, they must attempt to keep abreast of constantly evolving cyberthreats and industry regulations, while devising and implementing a security strategy that addresses these ever-changing elements. In spite of this fast-paced work environment, it’s easy to allow the seemingly less-pressing tasks fall off a “to-do” list. From there, it’s even easier to justify procrastination. “We’ve never been breached, so we must be doing everything right. We can put off our compliance audit a couple more months, or worry about our software security patch next week.”
Alas, many professionals put off security and compliance initiatives for these reasons and others, often with catastrophic results. Take Equifax, again, for example: the company allegedly waited months to patch a well-known software security vulnerability, which perhaps, if addressed in a timely manner, could have prevented the breach. Now, imagine if you were the person who must explain why you didn’t act sooner and allowed your firm to experience a data breach. Keep in mind that if you’re subsequently fired, you’ll have to justify your failure to act to all future potential employers, and you may find it extremely difficult to land another job.
Are you a security procrastinator?
No matter how long their “to do” lists, security and compliance professionals must take a proactive approach to safeguarding data, thereby protecting their company’s reputation and their own careers. Yet many continue to put off the company’s most crucial security and compliance efforts. The primary reasons I hear in the field, include:
- Lack of internal expertise: While some executives understand the need for a compliance program, the majority don’t recognize the work needed to implement and maintain an ongoing, successful program. This means that less-motivated compliance managers could get away with reporting, “We’re working on it,” for an extended period. Maintaining this façade may work in the short term, but it sets you up for massive failure if a breach does occur.
- Cost-cutting: Compliance doesn’t necessarily create new functionality, nor does it garner a pat on the back from your superiors. “Nothing happened today and that is a good thing,” may ring a little hollow to those that don’t understand change control. So, many security personnel are likely to look elsewhere to spend their money. After all, if nothing happened at the end of the day, and you can report that to your boss, you’ve done your job, right? Wrong. With the average cost of a data breach hovering above $3.6 million, a single security incident could render all your “cost savings” completely futile.
- Seemingly low odds of a data breach: Data breaches are in the news just about every week, leading many to falsely believe that other companies present a bigger, more attractive target. Or, some security professionals may simply hope that their organization is not hit by a cyberattack. I’m all for wishing for the best, yet, the reality is that the odds of a experiencing a data breach are as high as one in four, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. This is a gamble with your company’s and your own future that is not worth taking.
- Urgency exceeds importance: Some security and compliance personnel begin the process of searching for a new solution with a high sense of urgency. They reach out to vendors, looking to get their project started immediately. But, at the drop of a dime, they’ll turn right around and say, “Never mind. We’ll come back to you in three months.” Most of the time, these people know what they must do, but will find every reason to wait. Whether it’s because their compliance assessment isn’t until next year, or they found something seemingly more pressing, there are a million ways to avoid doing the compliance tasks that need to be done.
Many or all of these circumstances may ring true to you and your company. In the future, it doesn’t always have to.
Why wait? How to convey urgency for data protection
Of course, not every company is guilty of playing the waiting game for strengthening data security. Even the biggest brands, with large budgets and robust security systems are vulnerable to data breaches. Regardless of where you and your company stand in your security and compliance initiatives, take heed of the following advice to convey a sense of urgency for protecting your most sensitive data:
- Share your vision: Serve as a champion to your cause. Emphasize to your team and other executives the importance of protecting your company’s reputation through proactive compliance. Help them understand that such programs are actually investments in your brand, your customers and your colleagues’ future – not another line item expense.
- Talk costs to the C-suite: Upper management may not necessarily care about how a security incident may affect your job, but they will certainly take notice when you talk money. Share how protecting your company from a data breach also protects the organization from reputation damage and loss in customer trust, which directly impact the bottom line. You’ll find it’s much easier to obtain buy-in for supporting your security efforts if you speak their language.
- Stress compliance as an ongoing initiative: Compliance isn’t a check-the-box, one-and-done exercise; it requires continuous effort. For example, you could receive a Payment Card Industry Data Security Standard (PCI DSS) Report on Compliance (ROC) one day, and then be vulnerable to a breach the next, if even one security control changes. Therefore, assure your executives that you are “working on it,” and mean it.
- Remove sensitive data from your business infrastructure: Because you cannot predict or prevent every potential breach, the above advice will only go so far. The most effective way to strengthen data security is also the simplest approach: remove any sensitive information from your business infrastructure. Simply put, no one can hack the data you don’t hold or process. Investigate and deploy technologies that keep data away from your network and business systems, and you’ll be far less vulnerable (and less attractive) to hackers, fraudsters and other cybercriminals.
No matter what your industry, compliance and security are not something you can put off until next year, next month, or even tomorrow. It takes just a single incident to not only adversely impact your organization, but also your current job and future career. Act now and act decisively. Once you’ve acted, understand that the work still isn’t done. Take an ongoing, proactive approach to security. Make compliance a living and breathing part of your organization, and you’ll have both greater data security and increased job security.