Whether you are for or against the prosecution of Joe Sullivan, the details of this case are a step in the direction of expected executive accountability for cybersecurity governance and disclosure. Add to these potential implications of the Delaware case of Marchand v. Barnhill, changes to the California Privacy legislation, Federal government for disclosure requirements for critical infrastructure organizations, not to mention the SEC's impending guidance changes. There is an immutable message affirming the responsibility of board members and executives to have more robust cybersecurity monitoring processes in place and understand their decision on disclosure is less in their control than it ever has been.
If senior executives are paying attention, they should realize that delegation of cybersecurity management and governance was okay when the penalty for cybersecurity failure was not business-critical. But now, business viability and criminal liability are on the line, and a more robust approach is required to manage this risk and meet civil and criminal legal obligations.
Whether it is the case against Joe Sullivan, attempts by NYC to criminalize compliance officer failures to ensure appropriate controls and monitoring, or activist state attorney’s general specifying the security frameworks required for a company to claim they made “reasonable commercial efforts” to manage risk, it is yet to be seen whether these will genuinely make a difference. The sound you should be hearing is the winds of change, and some would say it's too late coming, while others say it is misguided scapegoating or blatant gaslighting, but at the very least, executives should be finding a cybersecurity advisor who they can count on and who understands how to manage these risks, because as they say, doing what you have done, will get you what you have got, and that, it would seem as a business executive, is less attractive than ever.
As an executive security advisor, who advises senior executives on these topics every week, I take solace in the fact that we help organizations and executives manage these risks appropriately, but the concern I have is the repeated disconnect that clients have been the fundamental understanding about what they have been told about managing these cybersecurity risks and how they invest in protecting their organization against them.
So, let me say it plainly, what you spend on cybersecurity and IT protection has very little to do with how much protection you actually receive! Further, benchmarking sounds nice, but how much someone else spends on cybersecurity is not instructive or that helpful unless they have exactly the same risk profile that you do—which they don’t. Being close is not good enough any longer. This is a “zero-sum” game. Hackers and cyber criminals want to take from you to enrich them, and they are very good at it and only need one opening. Why this disconnect exists is not the fault solely of management, there is a lot of noise in the market from “advisors,” and between them, industry stakeholders, and online “experts” on social media, it is hard for anyone to know what is right.
The world has become filled with cyber threats, this is true, and the threats have become cyclical and increased in velocity, but there is a way forward. Organizations that can understand what is critical to their organization and implement a dynamic defense that changes to meet the threat where it lives can begin to defend these risks; if your cybersecurity program is the same today as it was last year, then you may already be at risk, risks management needs to become dynamic versus the periodic historical approaches of the past. Quarterly meetings, annual risk assessments, monthly KPIs, and looking at holistic trends are all interesting but insufficient on their face for the threats of today.
Each year hundreds, nay thousands, of firms get the notification that they have been hacked or breached somehow. This alone should be proof enough the risk is real. Cybercrime, in one person’s opinion, maybe one of the greatest threats that businesses face today in terms of draining wealth, costing jobs, and impacting human life and wellbeing. But, taking a leading position on protecting company, customer, and employee information can now be a business differentiator, which is always good for businesses and organizations alike. These problems are not contained or influenced by political dogma or social policy. Hackers don’t care who you support, your budget issues, or why you chose not to protect your computer systems and information. They just want in. They are counting on the fact that your CFO won’t approve the budget for a system upgrade that is desperately needed, that your coders are not well trained, and that management doesn’t want to tell the whole story to the board because it will distract from other issues that are more important. A business decision to not protect something is a decision by management to accept the risk.
Joe Sullivan is an experienced cybersecurity expert and legal professional. This case may or may not be over yet, whether in a court of appeal or the court of public opinion. Either way, the merits of this case are not seemingly as valuable as the direction it contributes to. Executives and leaders should recognize this as the opportunity it is and remember that a reactive event of someone else can be a predictive event for you, so ask yourself what you will do differently in the future.
The time is now. If the past 15 years are any indication, these cybersecurity attacks, and their impacts will only worsen until organizations change to stop them. Based on several sources, global GDP could be impacted by Cybersecurity attacks to the level of 3.5% by 2030; that is effectively the economic impact of COVID every year going forward. For business, that alone should be reason enough to take a new approach to manage these risks, add in the potential of personal criminal penalties, and that is starting to sound like a “Microphone drop” moment.
Dave Tyson, President of Apollo Information Systems