Skip to main content
banner image
venafi logo

Security Accountability: Who in the C-Suite Should Care?

Security Accountability: Who in the C-Suite Should Care?

Security Accountability
August 6, 2018 | Guest Blogger: Allan Pratt

Since the Target breach of 2013, security accountability has been a hot topic of conversation among the C-Suite worldwide. For years prior the Target breach, the mindset was “that’s not my problem because it’s below me,” or in other words, the responsibility belongs to employees within the IT Department, the HR Department, or the Marketing Department. The C-Suite players only cared about fiduciary responsibility, market share, and not driving the business into the ground. These may be harsh words, but they reflect reality.

Unfortunately, there are too many CEO’s and CFO’s who have never given security, and to be more precise, information security, or infosec for short, a second thought.

According to a cybersecurity survey by BAE Systems, “More than 90 percent of executives cannot read, interpret, or understand a security report. Moreover, the most worrisome news is that 40 percent of these executives said they actually don’t feel responsible for the repercussions of cyberattacks.”

Then the Target data breach happened. After the breach, Target’s profits plummeted by 46 percent, and according to Forbes, customers left Target in droves. Following the Target breach, the C-Suite discussion about data breach prevention, hack attacks, and infosecurity has changed. Now, every C-Suite executive knows what can happen if their company is hacked. You might think that by knowing what can happen would be the end of the C-Suite discussion, that everything would be right with the world, except for one small problem.

There’s something known as third-party vendors! A company can have the best policies and procedures in place, but as the saying goes, you are only as strong as your weakest link, or in this case, vendor.

Here’s a case in point: Target was breached through a vendor that was breached first.The hackers broke into Target’s network using login credentials stolen from a heating, ventilation, and air conditioning company that performed work for Target. The hacker was able to gain access to Target’s point-of-service (POS) system due the retailer’s failure to properly segregate systems, i.e., the system that handled sensitive payment data should have been segregated from the rest of Target’s network. If the first breach had not happened, then the secondary breach into Target’s customer data would not have occurred – at least not via this route.

A major responsibility for most C-Suites as a group is to dictate policy, but there are times when something will be overlooked when drafting policy and procedure manuals. How often are other departments included in drafting policy and procedure manuals? If other departments, such as IT, Marketing, and HR, were included, there might be a lower likelihood of important issues being overlooked.

In this tech era where change happens overnight, all organizations should consider adding the expertise of these internal departments. Think back to Target’s breach – perhaps the issue of external vendors would have been raised before the breach happened. When Target’s breach happened, a third-party breach was not on our radar, but thanks to extranets and automation, vendors that get access to corporate extranets are now soft targets for hackers. The smaller the company, the less likely they will have the discipline or even the time to train all their employees on the security hygiene required to prevent attacks like the one on Target.

Now is the time that each and every member of the C-Suite must think about protecting their businesses while simultaneously partnering with the companies they hire to ask about their security protocols. In addition, security must be part of every business initiative, not an afterthought. You don’t want your business to become a target, or worse, the next Target!


Related posts

Like this blog? We think you will love this.
image representing big data
Featured Blog

Was ist homomorphe Verschlüsselung, und wie wird sie verwendet?

Was ist homomorphe Verschlüsselung? Zweck der

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Allan Pratt
Guest Blogger: Allan Pratt

Allan Pratt, an information security strategist, uses his expertise in computers, cloud computing, networks, servers, security, and mobility to translate tough tech into everyday language. He is a frequent contributor to national tech blogs.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more