Back in 2002 a GM engineer a GM engineer selected an ignition switch for several GM models "?that was so far below GM's own specifications that it failed to keep the car powered on in circumstances that drivers could encounter, resulting in moving stalls on the highway as well as loss of power on rough terrain a driver might confront moments before a crash." That bad decision, as well as nearly a decade of operational mistakes and lack of management oversight, has cost GM over $2.5B in costs to date and may exceed $5B overall.
Cybersecurity incidents (such as the recent Target credit card data exposure that resulted in the resignation of both the CEO and the CIO and an estimated direct cost of over $1B) often have similar roots in bad operational decisions, poorly trained staff and lack of visibility at the senior management and board level into cyber-risks that can lead to significant business impact.
Based on the Valukas report that detailed GM's management and culture failures in the ignition switch problem, I've put together the top questions CEOs and Boards should be asking CIOs and CISOs about potential cyber risks:
Do we have frequent (ideally continuous) visibility and oversight into adherence to cybersecurity standards for IT systems, networks and software? The ignition switch selected in 2002 actually did not meet GM specifications — yet it was used in over 17 million GM cars. Verizon's yearly Data Breach Investigation Report consistently shows that most data breaches are the result of configuration mistakes that violated existing policies and standards but went undetected for months and often years.
Do our key personnel, at the business, technical and management level, have the skills, experience and training to understand the cyber-risks and potential business damage of the decisions they will make on a daily basis? — The Varukas report noted "? individuals tasked with fixing the problem - sophisticated engineers with responsibility to provide consumers with safe and reliable automobiles - did not understand one of the most fundamental consequences of the switch failing and the car stalling: the airbags would not deploy." Most of the largest cyber-security breaches can be traced to operational and management decisions that wildly underestimated, and often ignored, both the magnitude and probability of a serious cyber-incident.
Do we know why anything less than 100% of our employees, suppliers and business partners would actually report a potentially serious security problem? Equally importantly, do we know that corporate management would respond rapidly, knowledgably and appropriately 100% of the time? The Varukas report details many layers of inaction and deflection when the problems with the ignition switch were reported. The vast majority of data breaches were preceded by indications that were either ignored or misunderstood by several layers of operational and corporate management.