A study by Kaspersky Lab on data protection for personally identifiable information, uncovered a new insight into the cost of data breaches: In almost one-third of the breaches studied, someone lost a job in the aftermath.
The toll on high-level executives in high-profile breaches has been well documented.
- The CISO, CIO and CEO left after the massive Equifax breach
- The senior vice president for IT departed Reckitt Benckiser, after the NotPetya malware hit this major maker of household products
- Yahoo’s general counsel was terminated to take the blame for the company’s slow response to its giant loss of PII
- The Chief Security Officer of Uber was canned, reportedly for covering up the breach of 57 million customers (even worse, he reportedly paid the hackers $100,000 to delete the data).
What’s new in the Kaspersky survey of over 1,900 organizations worldwide is the down-the-org-chart consequences. Thirty-one percent of organizations suffering at least one data breach followed up with layoffs (see the chart below). The axe fell most heavily on senior IT security officers (45% of big companies) but one-quarter of these breaches led to firing “functional IT” staff. The study breaks out layoffs by country, and it turns out that China is the most dangerous place for senior IT security staff, with a 61% firing rate.
Now, here’s a question to ponder that the study can’t answer. Were the layoffs because of the breaches or because security staff didn’t prepare management for breaches by laying out the risk, in other words, the probable likelihood and impact of loss-causing cyber events.
Smart cybersecurity risk managers know that perfect security is impossible, but it is possible to avoid shocking surprises by making everyone from the Board on down to the people in IT aware of the risks the organizations faces, and the investment decisions they might make to reduce those risks. In the event of a data breach, the whole organization shares the experience, not just some scapegoats down in Functional IT Security.