The resignation of a major retail CEO in the wake of the 2013 holiday data breaches is one of the most high-profile repercussions of a cybersecurity incident to date. While reasons unrelated to the data breaches have been cited for the departure, the fact remains that a cyber incident helped topple a long-time leader of a major American retail brand.
The holiday data breaches in the retail sector were serious, placing millions of consumers’ credit card information and identities at risk for theft and giving rise to one of the largest data-loss occurrences in history.
We’ve heard it said that Americans need to experience a catastrophic event before taking cybersecurity seriously, and most of us associate a catastrophe with a physical event such as a major flood or earthquake, a mass shooting or a terrorist incident. Yet in a country that depends and prides itself on a thriving economy, catastrophes can take other forms. The retail breaches and resignation hardly rise to the level of a catastrophe. But in an environment where cyber threats are factored in as just another business risk, these events take this risk to a new level: the CEO level.
Many of us at McAfee, part of Intel Security, have said for years that cybersecurity needs to move from the office of the CIO to the office of the CEO before it gets some serious attention. Perhaps that is happening. While CEOs come and go all the time, cybersecurity generally doesn’t play a role. I predict that as we look back on this time, we will cite the retail data breaches and CEO resignation as the start of something: the start of a period where a cyber incident took a toll on an American company and its management. In other words, a cyber incident had an effect on our economy.
I don’t want to believe that Americans need a cyber catastrophe in order to pay attention to cybersecurity. And I don’t want solid American retail brands to suffer either. Let’s hope that the retailers affected by the holiday data breaches recover and thrive, contributing to our economy and lifestyle. But let’s also hope they and others observing the situation have learned a lesson and broadened their horizons about cyber: Security isn’t just something you delegate to the IT department and then forget about. It can make or break you.