Another Breach, Another Opportunity to Ask How to Incent Honesty
Opinions expressed are solely my own.
Recent news coverage of a CISO’s conviction for covering up a data breach resurrected a nagging question posed in my April 2021 blog post Re-Thinking Response and Reaction to the Data Breach Disclosure Dilemma: Can we change our thinking as we acknowledge it’s better to know than not know??
The federal jury conviction was followed by a polemic rebuke from US Attorney Stephanie Hinds, and FBI San Francisco Special Agent in Charge, Robert Tripp, making it clear that they, “...will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain." But, soon after the news broke, several subsequent news stories in tier-one media and security trades focused on long-held fears about personal risk and whether convictions like this make CISOs/CSOs “sacrificial lambs.” Some even called the conviction flat out wrong and a missed opportunity. Nonetheless, smoke and mirrors prevailed again over transparency, and the dilemma over how disclosures are sometimes (mis)handled remains.?????
Status Quo Won’t Do
While legal, policy, and regulatory factors of this case – shaded by ethical nuances – are influencing different opinions and revelations, it’s a disclosure issue where an illegal and career-derailing gamble backfired. Telling versus not telling is still a gamble some feel forced to wager.??
领英推荐
In No Safe Harbor by David Sangster, the author says extortion “plays on human emotion” and sends people plummeting to the bottom of the hierarchy of needs pyramid, making them vulnerable in ways they “can’t even conceive of until it happens.” He cites research showing people are incapable of separating their emotions from their decisions – a necessary imperative. In business, we trust our emotions (a.k.a. gut instincts) to make decisions, which means overcoming atavistic instincts to hide when we feel in danger is truly key to positively influencing actions and decisions.?
A Little Better, A Long Way to Go?
Any organization that touches data is responsible for protecting it, and if security best practices are followed, there are an increasing number of cybersecurity safe harbor laws that aim to offer liability protection against some attacks – a move in the right direction. The Cybersecurity and Infrastructure Security Agency, less than four years old, is creating valuable partnerships with businesses and making great strides in helping improve cybersecurity efforts across the board. And better security options, like multifactor authentication (MFA), are being increasingly adopted. All good.???
Reputational damage from loss of trust, which is impossible to insure against and nearly impossible to calculate or fully recover from, is a persistent fear that clouds judgment. Feeling safe enough to deliver hard truths to an angry Board of Directors, fed-up customers, regulators, and an unforgiving public may require either a new carrot or stick incentive, an overwhelming change in how we react to bad news, or both. In the meantime, personal risk when it comes to breaches is something we’re likely to hear more and more about.?