14 Security Fails That Cost Executives Their Jobs

Katherine Archuleta, the director of the Office of Personnel Management, is the latest casualty of a data breach, but she's certainly not the only one. There's no job security when your job is security.
Off Target
The (Exit) Interview
Gangnam Style
Password Error
Too Open For Business
Breach? What Breach?
Discs And Data
Don't Taunt Hackers
Octopus's Garden
Home Free
The Home Affront
Heads Will Roll

You had one job: Secure the data. What happened?

Life as a CEO, CIO, or CTO is a bit more complex than that. Not every executive is directly responsible for IT security. Few have a deep understanding of it.

But in our networked world, IT security is the foundation of a successful business, and blame is shared when the floor collapses. Organizational leaders may prefer to focus on the big picture, but inattention to security has proven to be a poor career move.

Katherine Archuleta, the director of the US Office of Personnel Management, is the latest casualty of a data breach. She resigned on Friday following revelations that hackers had made off with the data of 21.5 million people who applied for government background checks. Her agency previously disclosed that the personal information of more than 4.2 million federal workers had been compromised.

In a May 2015 study, based on information from 350 companies, IBM and the Ponemon Institute found that the average total cost of a data breach increased to $3.79 million from $3.52 million last year. The average cost paid for each lost or stolen record with sensitive data rose as well, to $154, from $145 last year. That's a global average. In the US, the cost per capita reached $217.

By that measure, the theft of 25.7 million OPM records could cost almost $5.6 billion. If only those funds could be added to the $14 billion proposed for cybersecurity in FY2016. After all, the OPM breach could have serious, long-term implications for national security.

Monetary costs tell us nothing about the angst and inconvenience visited upon the victims of a breach, or the personal and professional toll paid by whoever accepts responsibility.

It's infuriating for data theft victims to be forced to worry about fraud and identity theft due to someone else's errors, ignorance, or incompetence. At the same time, it's difficult not to be a bit sympathetic to those called upon to maintain security using systems and people who are unavoidably flawed. Those who do the job well succeed, in part, because there's someone else out there doing the job less well, someone running an organization that's an easier target.

When you look at the list of companies that have been hacked in some way, it becomes apparent that even the most technically sophisticated organizations can be breached given a sufficiently well-funded, determined attacker. Speaking on 60 Minutes in 2014, FBI Director James Comey put it this way: "There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese, and those who don't know they've been hacked by the Chinese."

And Chinese hackers are not the only hackers in the world.

Given the vulnerability of IT systems, the first act of an incoming CEO, CIO, or CTO should be to write a resignation letter, apologizing for the "unforeseen" data breach that everyone feared was coming. Ideally, the letter's presence will serve as a reminder to prioritize security concerns.

With luck and diligence, the letter will never need to be tendered. But many executives have not been so fortunate or attentive. Here are a few who have stepped aside or been forced out following a breach. Maybe there's a lesson here, or maybe we're all just waiting for the other shoe to drop.

Next slide
Editor's Choice
Richard Pallardy, Freelance Writer
Salvatore Salamone, Managing Editor, Network Computing
Kathleen O’Reilly, Leader, Accenture Strategy
Cassandra Mooshian, Senior Analyst, AI & Intelligent Automation, Omdia