Slashdot Mirror
US CEOs Are More Worried About Cybersecurity Than a Possible Recession (fortune.com)
With markets uncertain, many onlookers might think a recession is on the way, whether that's most CFOs in the world or voters in the United States. But domestic CEOs don't find heavy economic headwinds their biggest external business worry, according to a new survey by the Conference Board. Instead, it's cybersecurity followed by new competitors. Risk of a recession is third. From a report: After high-profile data breaches experienced over the last two years by such companies as Marriott, Equifax, and Uber, that might seem understandable. But U.S. CEOs stand in stark contrast to those of the rest of the world. Cybersecurity was the sixth most pressing issue for chief executives in Europe. It was seventh in Latin America, eighth in Japan, and 10th in China. Regarding concerns over a potential recession, Europe put that in second place, while Japan, China, and Latin America all rated it number one.
Might want to be worried about both, my bois.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Even in a recession they still get their golden parachute, but a IT breach could reveal their porn browsing habits
In a recession at least all of their competitors are feeling the pinch too. Sustaining competitive advantage is far more important than the temporary pain of a recession. A data breach and new competitors are much bigger concerns for any CEO with his/her head on straight.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
In my experience working with C levels, they don't give a crap about either one.
Scenario 1: A massive cyberattack. All their source code, info on people, user accounts with decoded passwords, credit cards, payroll, etc., now are residing in a Lower Elbonian database public to the world. The C-levels short their stock, make the announcement that everything is hosed, laugh all the way to the bank, and toast the downed company on their new yachts. Insider trading? Not prosecuted these days.
Scenario 2: A massive recession. Simple. Bailout from the tax payers if a financial institution, pay themselves some nice golden parachute bonuses, and then go visit the shipwright for the new yacht.
Either way, if the US and Europe descend into anarchy, they just move to another safe place. There are always South American and African countries who will take them.
A recession will barely affect those at the top.
Cybersecurity risks hitting their assets, bank accounts, and tax haven shenanigans.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
I have to agree with the US CEOs as much as that statement makes me shudder. Agreeing with sociopaths isn't something I do easily. I guess the CEOs in China know that US companies are being attacked but Chinese companies are maybe not on some of the hacker's radar yet? Otherwise 10th would be a bit ludicrous.
stop bitchin' or stop using a network specifically designed to be insecure
It's not like any of them will ever face -any- fines/punishments for leaking their customers data to out to the wild.
That's all they're really scared of... is people waking up to the how few safeguards are in place for them and actually demanding accountability for these arseholes.
It's just like every other form of security.
An illusion.
Go ahead, put ALL the eggs there. Why the hell not?
They keep offshoring to India. Who is India's closest ally? Russia. It is one thing to bring known ppl to America, it is another to send work offshore where a gov that views us as enemies can access the software.
I prefer the "u" in honour as it seems to be missing these days.
They are worrying about the wrong thing, "cybersecurity" is only McCarthyism bullshit, a recession or a depression is something that hit real people and the poor more. But they don't give a damn because they receive huge bonuses every time the FED bail them out for their own terrible decisions.
They have golden parachutes.
Recessions will also allow for increased stock buybacks, give their people negotiating leverage over salaries, and useful employees are less likely to leave.
Cybersecurity issues can have more direct ramifications on the senior management.
This is what happens when government punishes people for allowing the lock on their back door to get picked instead of going after the actual criminals.
There's also a new "study" that says businesses are working about climate change "to a point". Maybe, but not in the way the radical environmentalist think. What they're really worried about is getting the sh*t kicked out of their expenses due to every increasing regulations making it impossible to stay solvent (see what I did there?).
I am still running HP-UX 10.20, along with a large pile of UNIX systems that the vendors abandoned long ago. I threw away Alpha DS10s last week, but certainly not all of them.
I'm holding onto an Itanium for a VMS guy. And if you think VMS is old, you should see our OS2200.
If that was going to burn, it would have been cinders long, long ago.
From my own personal experience working at very large, IT dependent organisations, CEOs pay nothing but lip service to IT security. Shut-up then cover-up is the order of the day. Small companies, where CEOs can't hide behind layers of management and bureaucracy, and where they have to be good at their job and actually direct the company for its success, is where they really do care.
Economies rise and fall; recessions happen every so often, so of course one will happen sooner or later.
Democrats really wanted one to hit last summer before the mid-terms, now they're hoping for one in late 2019 or mid-2020.
So if they're worried about cybersecurity, does that mean they'll actually pay more for cybersecurity? Somehow I don't see that happening.
Of course they are more worried about a cyber attack which will look like a purple eye on their resume. While a recession will only make them out of a job, for which they have their golden parachutes ready. Of course they do not care about the rank-and-file they will leave behind without jobs and without a possibility of employment for the months or may be years to come. Is this a surprise to anyone ?
__________
The more I know people, the more I love animals
Also Russia.
CEO compensation is closely tied to "shareholder value". Voicing concerns about a recession or loss of revenue is bad for "shareholder value" and CEO compensation. CEOs will never see a recession coming, at least not publicly, but I would expect many to quietly adjust their personal exposure.
When the EU states start to fine companies for the breaches that have occurred since May last year when serious fines became possible, they'll start to WORRY.
In my experience, most people claim that security is a big problem. But, when the rubber meets the road, they are reluctant to invest. Why? Because the aftermath of situations caused by security breaches tends to be a lot of noise - and very little else. We keep hearing about huge security breaches in Equifax, Target, Visa, etc. I am sure that, after such breaches, heads roll in the companies affected. But such companies just keep going. A breach like the one at Equifax a few years ago should have brought the company to its knees. But, Equifax is still there, doing what it has always done. I am sure they took a beating, but it would seem that it makes financial sense for them to take that beating than having to invest in security to try and minimize the possibilities of such breaches: the most stringent security does not guarantee that such breaches will not happen. Hence the current situation: everybody pays lip service to security, claiming that it is very important. But, when the time comes to investing in security, most do not - because it is really not worth the while.
So, with a recession, there are a few things. First, recessions are beyond the control of any one company. Even in 2007, the issue was "the banks" - nobody blamed Wells Fargo or Capital One explicitly, which meant that they could play hot potato and work together to get their bailouts. A security breach doesn't have the same luxury.
Next, while a recession is a predictable economic cycle with well-understood means of remediation, a digital breach could mean anything. Even if it was something as innocuous as a breach from a customer feedback form (i.e. basically no personal data), it may well be reported as an Experian-type breach, and then it's simply the unwinnable game of bad publicity. On the other hand, it may not be personal data at all, but instead the sort of data that enables the company to have an advantage over its competitors. Sure, one would hope that the competitors aren't willing to pay for that data to be provided, but if a script kiddie puts some proprietary code on The Pirate Bay for easy download, it's near impossible to be sure that at least one of them won't take a peek. It could also be the sorts of things that would be embarrassing - information indicating that their ads aren't as truthful as they should be, the infamous Sony E-mail leaks, account credentials, and of course, Experian's experience with 'just about everything'. The concern over a breach is a concern over the unknown.
Finally, while there are no shortage of CEOs of questionable competence, in aggregate most have some awareness of economics. They understand the core tenets of finance and how money moves, and how economic trends affect their company. They may not be specialists like their finance or actuarial departments are, but they can have a discussion with some semblance of understanding. Their server rooms may as well be the halls of Hogwarts. Very few CEOs have an understanding of how data flows, how firewalls work, how networks fundamentally operate, or what sort of threats could cause a data breach. It's an utterly foreign concept that requires so many layers of simplification to have a discussion between CEO and the people who can do something to prevent a breach that even the attempt would require something far more rare than a CEO with a technical aptitude: a CEO and a technical person who have both patience and communication skills to decide what to do, how to do it, and have realistic estimates for both time and money.
So yeah, it's perfectly reasonable for CEOs to be more nervous about how to handle a data breach than a recession. One has been happening to everybody for a century. The other is newer with far less science behind it.
They are worried that their shareholders want them to talk about cybersecurity, rather than recession.
I work in cybersecurity. It's a huge market. That consists of 40% snake-oil, 40% faking compliance to some standard, law or other requirement and 20% of actual security. I'm mostly interested in the 20% and on some days I hate myself for it because I could make so much more money selling bullshit to the gullable or assurance of on-paper compliance to managers.
If they actually took security seriously, they would start doing some actual thinking about it. While the usual yearly reports outline the various dangers and threats, most of the actual events boil down to someone fucking something up, typically because they were short-staffed, on a deadline, with pressure to get it working right now. And while our tech solutions use machine learning to uncover advanced persistent threats with camouflage and polymorph capabilities, the core technology underneath is behind the 1960s level of understanding of security.
I'm a member of a national working group on a "new technology" topic I can't divulge. Nobody even thought about the security aspects of the technology until I brought it up. We still do security as an afterthought. In 2019. And wonder why it's a mess. It's like building a car and in the end, when everything is working well, having the idea that it would be really swell if people could sit on it somewhere.
If CEOs were actually worried about security, they would take a few simple basic steps to ensure that security goes into everything from the start and is a basic requirement. If your software tells my data to someone else, it is just as broken as if it doesn't tell my data to me. But guess how many user stories of the first kind you see compared to the second.
Assorted stuff I do sometimes: Lemuria.org
CEOs in Canada don't give a damn about security.
Yes, cybersecurity spending has increased perhaps 1000% over the last ten years. I've been doing cybersecurity work for twenty years. The first ten years, there was no money in it, but I enjoyed it. The last few years, my experience has become very marketable.
On Tuesday I talking to a guy at an OWASP meeting and mentioned his company has 50 employees in the cybersecurity department. They aren't a security company.
Absolutely students have a responsibility to make decisions about what they study, where, at what cost. Spending $100,000 on a gender studies degree only makes sense if you have an extra $100,000 to spend on learning for leisure. WGU.edu makes sense if you don't have a bunch of spare cash.
ALSO the company who owns/owned several schools, Career Education Corporation, just agreed to not pursue payments in $500 million of student loans and to penalties in 48 states because the schools misrepresented the value of their degrees and did other bad things to recruit students in a misleading way.
So students need to research the value of the degree they are seeking and compare different schools. When schools publish information about the value of the degrees they offer, that information needs to be accurate and not misleading.
Recessions are largely equalizers, and all companies are typically impacted, and they are part of the normal ebb and flow. So you as lean and mean an organization as you can, and handle the bumps as they come along. Surviving Recessions is about profit maximization.
Cyber Security is not part of the normal ebb and flow. Cyber Security is about loss prevention, not profit maximization. Cyber Security doesn't create profit or mobility. Cyber Security doesn't enable users to be more productive. It is simply management overhead. Cyber Security is also a matter of who has the best techs and technology. Cyber Security is therefore a controlled cost, and a gamble. Control it too much, and you lose. Control it too little and you hurt company profits, and the other guy wins.
For execs and bean counters, Cyber Security is like paying an employee to play video games. It is a tough pill to swallow.
Would government mandated checklists and compliance tests resolve the issue, similar to OSHA and HIPAA compliance? Make it a level playing field for all businesses? Commodotize Security by spreading the costs across the entire industry? Create a market for solutions?
Or do we need to look at the infrastructure, such as the networking stack and protocols and find a better way of solving the Two Armies problem and the Byzantine Generals problem?
during a recession if you're wealthy. When a recession hits people lose their homes, their cars... and you buy them up at rock bottom prices and resell them when the recession's over. You can cut everybody's pay 20% and not raise it after the recession's over. And you can get the government to bail you out during the recession by holding the economy hostage.
Recessions are great business for the ultra-wealthy. Why do you think we have "Bull" and "Bear" markets? House always wins, and the ultra wealthy are the house. Wish I could get folks to understand that.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
There will be a recession; for some darned reason they keep happening every ten years or so.
Cybersecurity can affect your salary and bonus. In fact, a major cybersecurity incident can put you in the poorhouse while a recession is likely to increase your take home pay and bonuses.
Europe already got their privacy rules, so that's a known now. In USA, it's still an unknown. In Asia regions, no-one gives a shit about privacy so the execs don't fear it yet.
Absolutely correct. Which is why such matters always end up dealt with via regulations. And the fear comes from the fact they see the writing on the wall. Europe already has their GDPR. USA is next.
Yes, companies are VERY worried about cybersecurity matters right now. But it's not so much because they're afraid of the bad press if they get hacked. (Like people here keep posting -- security breaches of people's credit cards and personal info have become so commonplace, it's assumed that every valid credit card number in use in America is leaked out in one collection or another of data from the hacks. You card isn't getting misused because hackers don't have it. Rather, it's just the fact that nobody has pulled it from lists of millions and millions of them and tried to use it yet.)
The big problem is a fear of lawsuits and losing major client contracts over it. There are so many government regulations in effect now (such as HIPAA, FURPA, etc.), many businesses are supposed to be in compliance now and yet they're only partially there. In other cases, businesses are cranking out increasingly detailed demands of vendors they work with, saying they must do A through Z as security measures, or else they're liable for any security leaks. A lot of this stuff is still just signed off on as "boilerplate", because companies don't fully understand what they're being asked to do and/or decide they'll just accept the liability if something goes wrong, as they try to become more compliant on their OWN timetables. But it's certainly a big fear.
I mean, as one example? I work for a company that uses a lot of freelance workers on a project basis, as needed. They're required to have company email addresses so their correspondence looks like it comes from our company. But otherwise, they're more or less on their own to work with their team of people that brought them on-board for whatever they're doing.
When the business was smaller, the people in I.T. pretty much met/interacted with all of these freelancers, so they were familiar with the sound of their voices, etc. That meant, if something came up like one of them contacting I.T. to request a password reset for their email? It was just taken care of without a second thought.
Well -- fast-forwarding to now, we suddenly had the realization that none of us in I.T. really know half the freelance workers we've been asked to create mailboxes for, anymore, and to complicate it further? Many of them are heavily using DropBox shared folders with people in their team. If someone wanted to, they could pretend to be somebody else, to request a password change and hijack the person's mailbox and/or DropBox. We never really had a system in place to help thwart that, because it just wasn't a "thing" until we grew enough for it to matter.
I'm sure this sort of stuff happens everywhere -- and when you're too busy managing everything else swirlnig around in keeping the infrastructure running properly, it's easy to overlook that it creeped in as a security weakness.
the same CEO's that pick the cheapest vendors and out source to low bidders?
Are they potentially held liable for a recession? No chance.
Are they potentially held liable for a a cyber attack? Well, the writing's on the wall that they could very well be held responsible if they can't show that they took reasonable steps to prevent it. The noose is getting tighter, Europe already is moving towards liability laws for data breaches and security blunders if the CEO can't show that he didn't just blatantly ignore any kind of security warnings from his infosec department (or shows his negligence by not having one).
It's basically self interest that they start taking infosec serious. Sooner or later they will be held responsible for it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.