Monday, May 5, 2014

Heads Will Roll

Today’s big news in the security world is that Target has decided to replace CEO Gregg Steinhafel. The leadership change is reportedly a result of the much publicized breach in late 2013 and follows the departure of Target’s CIO. There are a number of different aspects that I could write about relating to this topic, but there is one aspect in particular that captures my interest. What captivates me about this news is that, in 2014, we have come to the point where a security incident can topple an executive at the top of his or her career.

Replacing leadership after a serious incident (security or otherwise) is something we see frequently. Baseball team losing too many games? Fire the manager. Talk show not getting the ratings? Fire the host. I think what’s important here is not that Target will replace its CEO and CIO, but what comes of it in the long term. Sure, making big leadership changes is one way to catalyze the cultural change that is necessary within an organization. But seeing an improvement in the overall security posture, in any organization, requires strong and competent leadership at all levels, among other requirements.

Today’s CEO needs to be aware of the security threats to the enterprise and prepared to counter them. No one expects the CEO to be a security expert, but a security conscious CEO will put a knowledgeable, trustworthy CSO or CISO in place. That CSO or CISO will have the knowledge and skills required to put a strong security program in place. This is no easy task, and a big part of being successful in this endeavor is putting competent leadership in place at all levels. It is absolutely critical that every link in the security organization’s management chain be strong -- one weak link can completely change the dynamic and result in the introduction of a large amount of risk. Is it easy to find strong and competent leaders in the security field? Absolutely not. It is worth the investment in time to seek the right leaders? Absolutely.

It is tempting to fire key leadership after a serious security incident, but the true test of an organization is whether or not it improves its security posture in earnest. Leadership changes can catalyze action that is required to bring about this improvement, but it is not sufficient. A strong management chain from first level managers up though the CSO or CISO is a critical component in a strong security posture overall.

No comments:

Post a Comment