Invite your CEO, Board and senior leadership to block 7 days in a year to handle potential cybersecurity breaches.
Will the recent security breaches and President’s state of the union move the needle on cybersecurity spending?
There is a lot of conversation about cybersecurity spending boom and need for enterprises to loosen their purse strings for digital security but, is there a real ROI that can be measured??
A few analysis on 3 recent breaches with their business impact.
Target was the poster child for credit card companies to mandate tighter deadlines for EMV (chip card) migration to avoid fraud liability shift with the tens of millions of credit card stolen.
In terms of financial impact, Target earnings are approx. $2B and their net loss from recent cybersecurity breach after insurance payments were $148M. They may have additional liability from law suits but, from their quarterly reports, it did not look like there was any major shift in customer spending patterns and deeper product discount brought back shoppers. The CIO may have been a casualty but, the CEO departure was mostly attributed to their Canadian strategy.
So, bottom line financial impact was a loss of $200M, an additional investment of $150M in EMV etc.. But, for a major retailer, the cybersecurity loss was much smaller than their Canadian investment and the brand was not severely affected to result in big customer spending drop.
Home Depot on the other hand which makes $5B in earning had a net loss of less than $40M from their cybersecurity breach. No executives were fired and neither was the brand significantly affected.
Now, Sony is a whole another story. In Q3 2014 earnings, Sony lost $10M on a $1.7B revenue and now stands to add tens of millions of dollars from cybersecurity attack to its financial loss. This leaked emails and the loss in trust from its partners has made a major impact. They have not been able to report quarterly earnings and they are cutting paychecks manually. The loss of trust from the leaked emails fuels speculation if Sony pictures will still be a viable business.
In a recent conversation with a senior executive at a $4B company on increasing their cybersecurity investment, his responded to me by email was “we are not a Sony, we do not handle large consumer transactions like Target and chances of us getting breach are minimal with our current investment and if we do get beached, our lawyers and insurance will take care of our liability”.
Words I like to hear insurance and lawyers to reduce liability. I then responded saying that Target, Home Depot, Sony and hundreds of other cybersecurity events have one impact in common. Distraction. Senior executives are responsible to grow the business and increase shareholder wealth. Their job is to foster positive growth and not get distracted. When a company has a scandal or an investigation, the CEO’s, board and senior management performance is affected.
After the cybersecurity breach, Target CEO retired, CFO testified in front of Congress, CIO was fired and I am sure the senior leadership team spent hours convincing customers, partners and working with investigators which cannot be quantified but, certainly did not increase shareholder wealth. So is this not an impact from lack of cybersecurity controls?
“Home Depot ex CEO Mr. Blake took charge of the breach response. He backed up his chief information officer, Matt Carey, and spent time in the “incident response” room set up on the 20th floor of Home Depot headquarters.”
Sony Pictures CEO “It took me 24 or 36 hours to fully understand this was not something we were going to be able to recover from in the next week or two,” Mr. Lynton recalled in an interview.”
So, were their CEO’s not distracted and spent countless hours trying to mitigate damage that could have been contained in the first place just by smart investment? I am not trying to say they do not invest enough in cybersecurity today or more technology or resources will eliminate be the silver bullet but, continued serious investment will certainly reduce the risk and response to a cybersecurity breach.
So, what moves the needle? Senior leadership’s time, stakeholders trust and of course legal fees and tangible financial loss. Now, no small company or large company can argue that their CEO has time for cybersecurity breaches.