Arraya Insights | October 23, 2017
“My advice is for business leaders to get involved now or be prepared to face the music later.” Tom Clerici, Arraya’s Cyber Security Practice Director, wrote those words to cap off his most recent blog post, entitled “All CEOs Should Pay Attention to Equifax Firings – They May Be Next.” In the post, Tom theorized that the fallout from catastrophic data breaches – such as the one still unfolding at Equifax – could soon escape the boundaries of IT and sting those on the business side who previously assumed immunity. It didn’t take long for Tom’s prediction to come true.
Roughly a week after his post was published, Equifax CEO Richard Smith announced his “retirement” following twelve years on the company’s leadership team. Smith joined David Webb (the company’s now ex-Chief Information Officer) and Susan Mauldin (its former Chief Security Officer) as newly minted “retirees.” The trio was seemingly jettisoned following the company’s devastating data breach that left the personal information of more than 145 million Americans, information such as social security numbers, address, phone number, and more, exposed. Despite the terminology used to define his departure, Smith wasn’t headed for a beach and a drink served in a pineapple. Instead, he had a series of dates with a Congress eager for a punching bag.
Smith’s apology tour began with a three-hour grilling by the House Energy and Commerce Committee, the members of which were all too happy to pepper Smith and Equifax with verbal barbs. Things didn’t get any easier when Smith switched chambers and appeared before the Senate’s Banking Committee the following day.
Here are some of the highlights – or lowlights depending on your perspective – of Smith’s appearances:
- Joe L. Barton (R-TX) called for federal legislation to “put some teeth” into the penalties levied on companies who suffer a data breach by charging them thousands of dollars per record compromised.
- Elizabeth Warren (D-MA) lambasted Smith, saying “when companies like Equifax mess up, senior executives like you should be held personally accountable and the company should pay mandatory and severe financial penalties for every consumer record that’s stolen.”
- Greg Walden (R-OR) lamented his inability to “pass a law that, excuse me for saying, fixes stupid.”
Next Steps: Making security everyone’s business
Harsh words, however, it’s hard to feel too badly for Smith, who appears set to take home a sizeable amount in long-term bonus money according to a report by Bloomberg. There are a couple of key points contained above that likely jumped out to anyone in the business of handing and securing sensitive data. The comments from Rep. Barton and Sen. Warren seemed to suggest that the government should play a more active role in encouraging better cyber security postures. These statements could indicate stiffer fines could be on the way for organizations that fail in their obligation to keep data safe. Any such threat to the bottom line could succeed in helping another part of Tom’s blog become a reality. In it, he wrote:
“There is a misconception in many organizations that IT owns security and it’s solely their job to keep the bad guys out. That approach is fundamentally flawed and gives executive leadership an easy pass to blame the CIO and CISO when a breach happens… The last time I checked just about everyone uses technology today. The first thing most employees do when they get to the office is log into a computer. In essence, EVERYONE is a part of the IT department.”
Don’t wait for Congress to swing their legislative hammer. Arraya’s Cyber Security team can serve as a bridge between IT and the business. Our team is skilled at aligning security initiatives with organizational goals, ensuring real, meaningful progress. This way, regardless of what Congress elects to do, all sides of the business can come together in order to ensure their data is safe.
Continue the security conversation with Arraya today by reaching out to our team at: https://www.arrayasolutions.com/contact-us/. Leave us a comment on this or any of our blog posts through social media. Find us on LinkedIn, Twitter, and Facebook. While you’re there, be sure to follow us to keep up with our latest industry insights and exclusive learning opportunities.