Breached! Time for CDOs to Get Real on Security.

Two security incidents are exposing the insecurity that CDOs currently face.

First occurred when Cathay Pacific discovered unauthorized access in March 2014, which it publicly reported on October 24, 2018. A limited number of credit card details was also stolen. It is a massive blow of confidence for an airline that is already suffering severe market challenges and exit of key senior management.

There was a general groan, a lot of loyal customers felt exposed, many wondered why it took so long for the report to go public, some gasped on what it will mean to their credit card details and a few raised their fists in anger.

But the key lesson for CDOs lies in the extreme complex reporting that Cathay Pacific had to take to announce a breach that later turned out to be more severe than first thought.

The airline noted in a Reuters report than it informed a total of 27 regulators in 15 jurisdictions on this breach.

For a CISO, it is a huge nightmare that builds on the anxiety on the breach itself. It essentially can amount to 27 separate investigations that could quickly mushroom, with looming questions on whether Cathay Pacific’s actions can trigger the General Data Protection Regulations (GDPR) that stipulates steep penalties but is not retroactive to incidents before its May launch.

The incident puts the spotlight on incident reporting. It is a CISO job that is fast becoming a CDO's concern.

A major issue with incident reporting is regulatory reporting -- it can be complex and burdensome, taking away precious time that could have been used to find out more about the breach.

Essentially, regulators need to start doing more than talking to each other and sharing notes. They need to build a global framework that protects consumer data, not just focus on financial fraud and terrorism. They also need data-centric policies that allow quick reporting and escalating across jurisdictions, so cyber forensic teams and the police can act quickly.

As it currently sits, incident reporting will continue to be a complicated nightmare for global companies. It will only get worse as more companies integrate, partner and share data. CDOs can be assured that hackers are waiting on the sidelines to exploit gaps and hide behind the slow response of their victims.

The second cybersecurity event offers a different aspect to a CDO’s security woes.

Marriott International reported that it discovered unauthorized access to its Starwood guest reservation database. Personal information was copied, and there were attempts to remove it.

So far the reports say that the breach is limited to the Starwood database, which includes data from consumers who stayed in W Hotels, St. Regis, Sheraton Hotels & Resorts and Westin Hotels & Resorts. Marriott International merged with Starwood only recently.

What is more worrying is that a single party carried out the breach, which remained undiscovered for four years (while Starwood was a separate brand).

It goes back to the challenge that CDOs face in today's merger and acquisition climate. They are taking on new risks as companies consolidate, merge and buy over companies to grow their business.

CDOs need to work closely with CISOs to understand whether the data security policies can be enforced across the new company’s data infrastructure. They need to also ensure that the data that security products use to monitor and detect are finetuned for the new merged network.  

It is time for companies to do more than look at the fiscal audit reports and also consider security audit ones as well. It requires a rethink on security as it becomes everyone’s responsibility – not just the CISO’s.

More importantly, if CDOs want to drive digital transformation, they need to tackle the hard questions on data security from the onset. Or, as we saw in Cathay Pacific and Marriott International, it will come back to haunt them.