When a company confirms that it has been the victim of a data breach, the latest case being Home Depot, the cost of this disclosure could be best described with a simple phrase: Carthage must be destroyed.
That is, of course, if history is any indicator. To use the above example, prior to the outbreak of the Third Punic War, hawkish elements of the Roman Republic began to popularise the phrase Carthago Delenda Est – Carthage must be destroyed. The phrase was a response to the rise of the city’s military power in the region and advocated a complete destruction of Rome's geopolitical rival in order to preserve its dominion over the Mediterranean.
Much like Rome called for the total destruction of Carthage in the face of war, so too have company powers adopted a 'total destruction' attitude towards the senior leadership managing companies, even at the board level, that have suffered critically-damaging cyber attacks and data breaches.
The CEO under fire
The job of a public company’s CEO is generally guided by one principle: to improve the equity value of the company. As the captain of the ship, the CEO is typically the most visible and responsible when it comes to guiding the course of a publicly traded company through the murky waters of business towards greater per share value for investors holding its shares.
> See also: The rise of the CISO: the time is now
Typically, this means that most public market CEOs have been too focused on high level strategy to spend time on operational facets of the business, like security. Such operations are left to other staff including other executives like the CSO (Chief Security Officer) and, further down the line, practitioners like incident responders and systems administrators.
In the past, this has also meant that CEOs and other high-level executives were rarely held accountable when it came to security issues. Even glaring security vulnerabilities or critical cyberattacks were seen purely as tactical and operational issues. A CEO might be tasked with overseeing some kind of inquisition to see out those from the company who 'allowed' that attack to occur. But CEOs themselves were never the ones whose jobs were hanging on the precipice for the attack or its consequences.
That all changed with Target. After Target was the subject of a massive, well-coordinated data breach by cybercriminals, shares in the company plummeted over 10% in the months following the public acknowledgement of the breach – constituting a loss in over $6B in equity value to the company’s shareholders.
The damages extended into other parts of the company’s balance sheet. According to the earnings report in February 2014, the company attributed a drop of over 5.5% in sales transactions during the critical holiday season to concerns from the breach. It was the largest loss in sales transactions since the company began reporting that statistic in 2008. While the final bill has yet to be tallied in the breach, it’s expected that it will run well into the billions.
With such huge, strategic losses to the company and its equity, the unthinkable happened: Target’s CEO resigned. A 35-year veteran of the company, Gregg Steinhafel stepped down along with the company’s CIO, Beth Jacobs. Steinhafel’s departure from the company was the first time the CEO of Fortune 500 company was ousted due to the damages of a cyberattack.
Heads will roll
History seems to be repeating itself. In the last few days since this writing, Home Depot has admitted that it is investigating a potentially massive data breach that bears a striking resemblance to the one that hit Target just nine months prior. In response, the company’s stock has plummeted over 3% in less than a full day of trading, constituting a startling loss of over $5B in equity value.
It’s too early to fully know what this new data breach will cost Home Depot. But if Target is any indication of what may happen, Home Depot could see a similar 'battle of the titans' power struggle in the board room as the company’s shares burn around it, like lava around Pompeii.
Steinhafel’s departure is a good example of how a CEO gets forced out due to a hacking attack. As news of the data breach began to impact key strategic indicators – statistics reported to investors – the company’s stock began to wither.
This withering elevated the data breach’s responsibility beyond the confines of the IT department and to the boardroom.
The response to this was a clarion call to summon one of the public market’s most powerful and feared forces: the activist investor group. Institutional Shareholder Services (or ISS), a major proxy advisory firm that serves the interests of major hedge funds and other public market investors, recommended that seven members of Target’s board be removed in response to 'failing to protect the company' from the data breach.
ISS’ pressure certainly pushed Steinhafel out, but ultimately it was the reputational risk to the company’s brand that delivered the coup de grace. As time progressed and details about Target’s security practices came out, the long-term impact of the attack degraded core metrics like sales velocity and profit. Many consumers lost faith in Target’s ability to safely conduct their transactions, and irreparable damage was done to the company’s reputation and brand.
With strategic damages so great, somebody had to fall. George Steinhafel and CIO Beth Jacob were necessary sacrifices to appease the investment community. Their departure helped to preserve many of the other 5 board members ISS also recommended to be sacked, as proved by a reinstatement of most of the Target board during the company’s Annual Investor’s Meeting in June.
It’s far too early to know what will happen with Home Depot’s executives. But one fact remains clear: the damages due to data breaches and other major cyber attacks are no longer simply the concern of the IT department. The reputational risk and impact on strategic metrics due to security events like the ones that struck Home Depot and Target are enough to bring down the heads of Fortune 500 companies. So, let history serve as a lesson here. C-level and board execs need to concern themselves with cyber security. After all, customers are the lifeblood of any organisation, dissolve their trust and your job could be next for the chopping block.
Sourced from Andy Manoske, Product Manager for AlienVault's Open Threat Exchange (OTX)