Business leaders still in denial about cybersecurity threats

Many companies don’t see themselves as attractive targets for hackers. Matt Comyns, the global cybersecurity practice leader for recruiter Russell Reynolds Associates, begs to differ. | February 19, 2016 interviewed Russell Reynolds Associates' Matt Comyns for their article, "Business leaders still in denial about cybersecurity threats," on how some companies continue to underestimate the threat they face from hackers. The article is excerpted below. 

Much of the corporate sector remains in denial about the allure their information hold for hackers, nation-state spies and other malcontents, says Matt Comyns, the global cybersecurity practice leader for executive recruiter Russell Reynolds Associates. Despite the fallout at Target that saw the CEO and CIO lose their jobs and the catastrophic revelations of embarrassing emails at Sony Pictures in 2014, companies question whether their assets court the same risk as those brands.

Most companies aren’t targeted by hackers seeking to steal data or to spill information that results in public relations nightmares, but the what-me-worry stance misses the point -- badly, says Comyns. All it takes is one significant hack for a company to become Targeted, or Sonyed. "I still walk in the door of companies searching for a CISO who say: ’Who would come after us, we’re not Target, we’re not Sony?’But I think to myself: ‘I'm not so sure that's the right question’."

Comyns says roughly a third of the companies that call Russell Reynolds for CISO searches make a point of downplaying the value of their data. It could be a bargaining tactic to drive down the price of CISOs. It could also be wishful thinking wrapped in naiveté. Comyns, who says he expects his cybersecurity searches to double this year, recently spoke to about the current state of cybersecurity.

Cybersecurity breaches continue despite more awareness Why has it taken publicity on the scale of a Target or Sony to bring the gravity of cybersecurity defense to light?

Matt Comyns: Many companies were blissfully unaware that they’ve been breached, especially those that didn’t have credit card information. Companies learned they have been breached because the FBI knocked on their door and told them they had a problem, that they had traced the dots from stolen credit card information back to Home Depot, Target or somewhere else. But if you didn't have a lot of credit card information, how would you have known? You didn't know.

It seems so obvious now, so when we look back we ask: How could you be sleeping at the wheel? What were you thinking? But back then it wasn’t so obvious. It came upon everybody with such force that now everybody is in reaction mode and getting up to speed. In 2016 if you’re not doing the right thing now, shame on you. But I am still shocked about some of the mentality and lack of maturity in information security here. To your point, the breaches are continuing, with hotels such as Starwood, Hyatt and Hilton all announcing breaches toward the end of 2015.

Comyns: I know another hotel company with 500 hotels in the U.S., they have a CISO who is an information security group of one. He doesn't even have a support deputy. He has to beg, borrow and steal help from IT and the CIO.

To read the full article, click here.

Sign up for our newsletter

Get the newsletter that prepares you for what's next with valuable insights across industries and geographies.
Business leaders still in denial about cybersecurity threats