A series of massive data breaches at major companies, including the recent theft of over 140 million Americans’ personal data from Equifax, has put questions of cybersecurity at the front of every CEO’s mind. At the Wall Street Journal last week, Vanessa Fuhrmans noted that the threat of losing their jobs or even seeing their business destroyed was pushing more chief executives to give cybersecurity their personal attention.
Their motivations are twofold: First, the frequency of data breaches is increasing at an alarming rate, and second, CEOs are increasingly getting blamed for them. After last month’s crisis, Equifax’s board moved quickly (though some argue not quickly enough) to remove Richard Smith from the CEO role he had held for 12 years. Yahoo CEO Marissa Mayer, for example, had her bonus for 2016 rescinded as punishment for a 2014 security breach that compromised hundreds of millions of user accounts and to which an internal investigation found her management team had not responded properly.
The bottom line, Fuhrmans hears from various chief executives, is that they can no longer afford to pass the cybersecurity buck to the IT department and hope to escape unscathed if their company’s data is eventually compromised. That means developing good cybersecurity habits themselves (given how much information is publicly available about them, CEOs are attractive targets for phishing scams), learning more about how their organizations’ security systems work, and taking on a more direct oversight role.
Here’s an area where CEOs could be leveraging their relationship with the HR department to be more proactive about solving the problem. Rather than investing more in firewalls to prevent external breaches, many organizations should also be looking inward, as employee errors account for nearly 60 percent of privacy failures. There’s a big role for HR in helping employees avoid the errors and bad habits that make cyber attacks more likely to succeed.
CHROs can also be thinking about how to embed a culture of data privacy in their organization, in partnership with the CIO, by aligning privacy requirements with the way work gets done and continuously adjusting policy to match employee work realities. Not only would CHROs be protecting their CEO and organization from damage, they would be seizing an opportunity to make significant impact to the business outside of the HR function. CEB Corporate Leadership Council members can read our full executive guidance on managing the hidden causes of data breaches here.