“Amy Pascal steps down as head of Sony Pictures’ film business.”
That banner displayed on my phone, sent by the Wall Street Journal. If they deemed it important enough to trigger a blast, chances are your executive team knows about it. Maybe it matters to them.
This is an opportunity for the security leader.
As it makes headlines, Pascal’s departure is an excellent conversation starter with fellow executives. The key is engaging as a leader and focusing on how a highly public story matters to your organization.
Be cautious in suggesting Amy Pascal lost her job because of the actual breach. As with any announcement wrapped in the headline of “security breach,” this is no cause for celebration. The challenge is sifting through the nuance of what happened, how it was handled, and the fallout.
First, note the language and a few details:
- Amy Pascal is “stepping down” - she wasn’t fired (even though the headlines imply as much)
- Her contract expires in March - makes for great timing to part ways and save face
- She’s starting her own production company in May (at Sony) - so this is not likely the end of her career
Security breaches provide fantastic cover to handle otherwise unpleasant tasks. In this case, however, it does seem that the breach played a role in her departure. It appears that Pascal is stepping down “to pursue other interests” because of what the breach revealed.
The breach, response, and subsequent handling are minor players. The larger issue and focus of the headlines was the nature of her emails and other information leaked by the attackers.
With that in mind, here are three questions to frame the conversation security leaders need to have with executives and board members.
1. “What did you think of the announcement?”
They may actually share some insights into the way boards and executives handle such events. Perhaps they have little opinion. There is no right or wrong answer. The key is absorbing what they say, and paying attention to what they don’t say.
This is your starting point for the conversation. Then pivot to your organization.
Explain that while the lack of focus on security may have played a role, you see it as more indirect. Pause for just a second. Give them a chance to react. Consider their response.
Aside: it’s a bit unusual for a security leader to suggest that an action in the wake of a breach may not have been directly related to security. This is important because it demonstrates your capacity as a leader to look at a bigger picture and draw on additional expertise.
If necessary, point out that the interest in Sony tended to focus on salaries, contracts, scripts and the personal and sometimes crude emails of the executives.
2. “Is there anything in your emails and files that, if exposed, would get you fired?”
This is a direct and specific question that has a tendency to make people uncomfortable. Leaders ask hard questions, but give people the space to process and come to the right answer. Some folks respond well, some don’t.
Don’t try to predict or prejudge the answer. The point is to seed the concept and see what it leads to. Focus the conversation on what matters to them.
This is a chance to listen and learn. Don’t lecture and bore them to death. Instead of focusing on what you’ll say next, be present and participate in the conversation.
If it’s really uncomfortable, shift away from their personal embarrassment to ask about intellectual property or other areas of interest. Don’t worry about technology unless they bring it up. Chances are, they won’t.
Listen to their words, make a note of what matters to them. This is what you and your team need to protect.
3. “In the event we experience a breach, what are our priorities?”
This is the opportunity to set aside the bias for breach prevention (link) and encourage others to do the same. Introduce the “assume breach” mindset and the importance of speed of detection coupled with accurate response.
The nature of this question focuses on response. However, understanding the priorities (note: the board and executives may not always have the same priorities - a different challenge to address later), helps you to align prevention, detection, and response on what matters most.
Making time for “the talk”
The time for the talk is when the headline is still generating buzz. That means making time now.
The key is positioning it as a conversation, not a lecture. Keep it brief. Bring the coffee and danish. Ask these questions and see where it leads. They should reveal some key insights you need to make sure you and your team are focused in the right areas. The conversation may even lead to more discussions and opportunities to make some needed adjustments -- to align with and protect the business.
As a security leader, this is your time to connect, learn, and influence. Have a good conversation and let me know how it goes.