Skip Navigation
BlackBerry Blog

Corporate Boards Tell C-Level Executives: You’re Responsible for Security

05.05.14 / Eric Lai

I can geek out over charts, so imagine my excitement when I came across this beautiful, dynamic infographic showing the world’s biggest data breaches at the appropriately-named InformationIsBeautiful.Net.

It was a timely discovery, with the CEO of a leading US retailer resigning on Monday, due in large part to ongoing fallout over the compromising of up to 70 million customer records back in November.

It wasn’t the biggest data breach in recent years. Several other multi-billion-dollar U.S. firms have suffered worse thefts in recent years, at least by the numbers affected. Hackers stole the financial information of 90 million customers in another major discount retailer’s database in 2007. The ringleader of that theft, Albert Gonzalez, also broke into the database of a leading financial processing firm, in 2008, compromising the information of a whopping 130 million consumers.

The board of directors of neither of those firms forced out their respective CEOs. Indeed, the CEO of one of those firms now offers sage advice to other companies on how to handle such breaches. The CEO who resigned Monday probably didn’t deserve to take the fall. He probably wouldn’t have, either, if it had occurred closer to the beginning of his tenure (2007).

But the environment has changed in the last half-decade. Companies that have suffered breaches are now hiring security experts from the NSA to take over as CIO. And based on this precedent, public board of directors are now holding CEOs, even in non-regulated industries such as retail, directly accountable for governance and risk management.

“It’s a new era for boards to take a proactive role in understanding what the risks are,” Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin, told the Associated Press. “Ultimately, the CEO is responsible in that ‘the buck stops here,'” Ken Perkins, a Morningstar analyst, told ABC News.

Coincidentally, a security researcher revealed today that iOS 7 doesn’t encrypt email attachments stored “at rest” on an iPhone or IPad, even though Apple previously said it was.

A stolen e-mail attachment is no customer database breach. But if one is vulnerable, chances are the other is, too.

Security is no longer just the job of your IT department. As business executives wield increasing influence over the software and hardware (BYOD!) that they and their employees use, they also need to COPE (and COBO) with the potential for security risks and failures arising. Else, they’ll find themselves with a surprised expression as they fall on their swords the next time a data breach arises.

About Eric Lai