The “Global Megatrends in Cybersecurity 2015” survey recently released by the Ponemon Institute found that the elephant is still very much in the room. Not unsurprisingly, the research showed that senior business leadership and boards of directors are not interested in what their CISOs have to say.
Often, those in the corner offices don't see the value of information security because breaches don't hurt the company's profitability, executives don't lose their jobs and they don't go to jail – the three things that seem to top their list of concerns. To convince the boardrooms of the importance of information security, a company will have to go under, and a C-level executive will have to lose their job or go to jail as the result of a breach.
Anthem's refusal to allow a federal audit may not have a positive effect.
But what about Anthem? I have doubts that the Anthem breach will move the bar any further than have any of the other mega breaches which have occured over the past five years. The only way that a breach makes that shift is with significant personal health information (PHI) disclosures, which at this time, do not appear to have happened. If the Department of Justice opens an investigation and moves toward prosecution, that would be a game changer. I do not believe this course of action is likely. That said, Anthem's refusal to allow a federal audit may not have a positive effect.
My point is to foster discussion among information security professionals and business leaders. Some business executives may believe that CISOs are only there to be fired when a breach occurs. Many business executives have calculated the risk and believe the bottom line impact of an information security breach is negligible to them and their company. The consumers and investors don't care, why should the board and business executives? Who will change that perception? The CISOs, the regulators or the legislators? Time will tell.