CEO Report Card: Low Grades for Risk Management

Former Target chief executive Greg Steinhafel would be in good company today if the Dark Reading community had a say in his job performance on cyber security risk management.

Steinhafel, as I'm sure you recall, famously resigned from the retailers' top job this past May, following a data breach of 40 million hacked credit and debit card accounts compromising the names, phone numbers, email and mailing addresses from as many as 70 million customers.

In the Dark Reading community, according to the results of our latest poll, members likewise show a stunning lack of confidence in their chief executives' ability to marshal the talent, financial resources, skills and training to defend their companies from a similar attack. Only 16% of roughly 750 respondents gave CEOs an "A" for making cyber risk management a top priority. On the bottom end of the grade scale, 19% blasted execs for an "epic fail" that left company data an open target for hackers and criminals.

If there is any good news in the community report card, it's that for more than a quarter of respondents, their executive leadership is moving in the right direction, albeit with one significant qualification: "We lack critical tools."

More damning is the indictment from the 40% who say companies are either "barely meeting minimum compliance standards" or "flying blind" with security teams who lack the latest technology and training.

In Target's case, what happened to Steinhafel -- a 35-year company veteran -- should serve as a cautionary tale to other corner office execs that in today's complex and rapidly evolving threat landscape, security needs to be viewed as an investment not a cost.

Or, as PaloJoel observed in a comment on Why Security & Profitability Go Hand-In-Hand, "The real question business leaders should be asking security practioners is [how can I] make my security a competitve advantage versus how do I get you to stop draining my pockets. Bottomline: if I am robbed less, protect myself better, do it more easily, and spend less doing it than the other guy I am going to grow faster and be more profitable."

What advice would you give to your CEO about how to beef up the company's risk management GPA and turn infosec into a business benefit? Let ‘s chat about that in the comments.