Yahoo Inc. attributed a significant data breach affecting 500 million clients to a foreign state, potentially to mitigate legal consequences. The article emphasizes that effective cybersecurity responsibility extends beyond technology and involves multiple organizational roles, including the CIO, COO, and CHRO, necessitating a comprehensive risk management approach. The lesson drawn from Yahoo's experience highlights that investing in robust cybersecurity is ultimately more cost-effective than dealing with the aftermath of breaches.

1. NOVEMBER/DECEMBER 2016 25
When Yahoo Inc. recently reported a data breach that involved the theft of 500 million clients’ records two years ago,
the company laid the blame for the entire incident squarely on a foreign state. This finger pointing suggests that Yahoo
sees the breach as an international relations matter, and that the company’s board, CEO and management team were
innocent bystanders.
Some speculate that Yahoo took this tack to reduce its culpability in any class-action lawsuits to follow. Regardless,
the unacknowledged failure on the part of Yahoo means that some customers will be counting the cost of the breach for
years, as their data linger on the Internet and the Dark Web, possibly forever.
The outcry that followed Yahoo’s announcement demonstrates that the public sees the responsibility of corporate
cybersecurity as being non-transferable from business. Indeed, what Yahoo did serves as a warning to others, and as a
motivation to understand where the responsibility for cybersecurity really lies.
Cybersecurity:
Whose Job is it Anyway?
GUY PEARCE
C Y B E R R I S K
NOVEMBER/DECEMBER 2016 25

2. 26 DIRECTOR JOURNAL
TECH IS NOT
ENOUGH
Clarifying the roles of the chief
information officer, the IT department
and management depends first
on defining an organization’s
cybersecurity strategy and objectives.
Those attributing responsibility for
cybersecurity to the IT department
and the CIO wrongly believe that
cybersecurity objectives are limited
to defending only against risks such
as hackers, viruses and malware. In
reality, a comprehensive cybersecurity
strategy extends far beyond these risks,
which means that technology on its own
cannot be a sufficient line of defence
against cyber risk.
Furthermore, research shows that
most data breaches are not technology
based, but are instead caused by physical
theft or loss of equipment, such as flash
drives and smartphones; “miscellaneous
errors,” such as e-mailing data to
the wrong person and unsecure
data disposal; and insider misuse by
employees with privileged data access. .
Third-party breaches are another
considerable cyber risk that technology
can only partly mitigate. The massive
data breach suffered by Target in 2014,
for example, resulted from the misuse
of a password provided to an HVAC
contractor.
While the primary causes of
data breaches will change over time,
concentrating an organization’s entire
cybersecurity strategy on a technology
response can leave it exposed to
unsatisfactory levels of residual cyber
risk. Identifying residual cyber risk is
a necessary part of effective cyber-risk
management and a growing governance
imperative.
% CAUSES OF DATA BREACH
29.4
Miscellaneous error
25.1
Crimewave
20.6
Insider misuse
15.3
Physical theft/loss
4.1
Web app attacks
3.9
Denial-of-service attacks
0.8
Cyber espionage
0.7
Point-of-sale intrusions
0.1
Payment card skimmers
26 DIRECTOR JOURNAL
C Y B E R R I S K
Source: Verizon Data Breach Report, 2015

3. NOVEMBER/DECEMBER 2016 27
IT’S ALL ABOUT
DISCIPLINE
So how can one proceed to identify
the full scope of cyber risk, and to
identify the roles needed for an effective
cyber defence? Basic risk management
discipline guides us here.
Risk identification
Reviewing network logs, forensic
audits and independent security reports
provides a structured way to identify
risks. Conversations with cybersecurity
vendors can prove useful. Analyzing
the organization’s tasks and activities,
business processes and data flows for
security vulnerabilities is also essential,
but often overlooked.
Objectives
Cybersecurity objectives are best
defined once all the risks have been
identified. The more detailed the
objectives, the better the risk response
design.
Risk assessment and response
Identified risks should be assessed
for severity, followed by the development
of risk controls in the form of mitigating
policies, procedures, standards,
guidelines and technology tools.
Corrective actions may be needed
for the affected business processes and
data flows, which could potentially
involve both the chief operating officer
and the CIO. New processes may also
need to be developed as part of the risk
response.
Employees and contractors require
specific training, as well as general
training that creates an enterprise-wide
awareness of cyber risk. Creating an
environment where all staff strengthen
the line of defence is more important
than ever, as regulators increasingly
demand that companies grasp the
importance of mitigating risk from the
ground up. Training and culture mean
that the chief human resources officer
(CHRO) must become a key player in
the defence against cyber risk.
Execution
Execution is monitored against
performance metrics while the strategy
is continually updated in the presence of
new information.
From a governance perspective,
how should a board respond to
management’s claims that cybersecurity
measures are in place? Ask for evidence.
If management cannot detail the risks
it is mitigating, is not able to map each
of these risks to an appropriate risk
response, or cannot talk about residual
risk, then the board should feel uneasy.
A risk identification and risk response
mapping document – in effect a cyber
risk register – is a key control.
SECURITY IS
EVERYONE’S JOB
Cybersecurity cannot be the
responsibility of the CIO alone, and
neither is technology a silver bullet for
all cyber risk. Not only the CIO, but
also the CHRO and the COO have roles
to play in an effective cyber strategy,
all of whom may report to the CEO.
The CHRO could also be a member of
the board’s HR committee, the CIO of
the ICT committee, and the COO of
the risk committee, all of which report
to the board along with the CEO.
Pinpointing responsibility for a breach
then depends on identifying whether
people, processes or technology are the
point of failure.
Ultimately, the reputation damage
from Yahoo’s data breach, and its
attempt to deflect blame from the board
and the CEO, likely exceeds what it
would have cost Yahoo to create a secure
environment in the first place. The New
York Times has suggested that security
spending at Yahoo was deprioritized,
perhaps in the context of Verizon’s
proposed US$4.8-billion acquisition
of Yahoo. How much Verizon’s offer
for Yahoo may fall following the
data breach disclosure – if it doesn’t
withdraw totally from the deal – would
quantify the damage. An offer of even
US$100-million less – effectively
a measure of the destruction of
shareholder value – would exceed what
it would have cost to properly secure
Yahoo. The lesson is clear: Effective
cybersecurity is far cheaper than the
alternative.
And what about that state-
sponsored attacker? There is nothing to
suggest that a diplomatic line of defence
– such as Canada is in the process of
securing with China, and as the United
States has already established – will
ever be an acceptable replacement for a
physical line of defence. History shows
that diplomacy is no deterrent to rogues,
and also that accords and treaties are
broken all the time. Since government
cannot offer business guarantees under
this model, the onus for a physical
line of defence still rests with the
corporation.
GUY PEARCE serves on the board of the
International Institute of Business Analysis and
is a consultant specializing in strategy, risk,
data and technology.
C Y B E R R I S K
This article originally appeared in the Director Journal, a publication of the Institute of Corporate Directors (ICD). Permission has been granted by the ICD to use this
article for non-commercial purposes including research, educational materials and online resources. Other uses, such as selling or licensing copies, are prohibited.