There are stories we tell over and over again because they are dense with meaning. In each telling we pull something new from them. I feel like the Target breach is going to be that story in the data privacy and security space.
When we first told the story it was a burglar tale—thieves in the night stole millions of dollars. Everyone beware. When we next told the story it was a cautionary tale for the Captain of the Ship. A good Captain goes down with his ship. Even if the loss was caused by a vendor.
Now the story is about sharing blame. Yesterday Roxanne Austin, the Target Board of Director’s interim chairwoman, told shareholders that the Board takes its oversight responsibilities seriously and asked for their support in re-electing all of the directors.
Her comments where prompted when Institutional Shareholder Services suggested that members of Target’s audit and corporate responsibilities committees, including Austin, should not be re-elected because risk assessment and oversight of reputational risk were part of their duties.
So what is the moral to this story? Like all good stories, it has many. But perhaps the most important take-away for businesses in the wake of Target is that cyber risk is everyone’s problem. It’s a consumer problem. It’s a CEO problem. It’s a board problem.
It is time for businesses in every sector, but especially in critical infrastructure, to get serious about undertaking IT risk assessments, working with attorneys to ensure inward-facing and outward-facing policies comply with quickly changing regulations, and get their insurance broker on the phone to talk about cyber insurance.
This is not a story we want to be a trilogy.