• United States




Yahoo and ‘the failure to comprehend’

Mar 09, 20174 mins
Data BreachIT LeadershipSecurity

One of the biggest challenges facing the C-suite and boards is the failure to comprehend the universality of cyber security threats.

marissa mayer president ceo yahoo
Credit: REUTERS/Elijah Nouvelage

Yahoo Inc. recently told the SEC that its senior executives failed to "properly comprehend or investigate" the 2013 and 2014 security breaches that affected more than 500 million accounts, according to a review by an independent board committee.

The review found fault at several levels of the organization. There were problems with internal reporting, management, communication around the breach, the company said.

The fallout from these breaches has been severe. In addition to several class action lawsuits, the breaches also put Verizon's $4.83 billion pending acquisition of Yahoo! in jeopardy. Now, in addition to all of these problems, the findings of the board committee were accompanied by financial fallout for the company's CEO, Marissa Mayer. The board decided not to award Mayer her 2016 cash bonus and Mayer offered to forgo her equity award in 2017 and the board accepted.

When it comes to cybersecurity, the onus is on boards and C-suite executives to establish clear business processes and accountability and as well as clear lines of communication. If that wasn't clear before, it should be crystal clear now.

It's tempting to sit back and point fingers at Yahoo! but the reality is that this breach is hardly an isolated incident. One of the biggest challenges facing the C-suite and boards is the failure to comprehend the universality of cyber security threats and the negative impact of a major cyber security breach. This failure to comprehend the scope of the problem means the necessary reporting and processes needed to effectively manage this risk are neglected and de-prioritized.   

Harvard Business Review published a new study  that sheds light on exactly how serious this problem is. The study evaluated responses from over 5,000 board members from over 60 countries and while cyber security ranked as one of the top political issues and directors see it as an urgent global issue, most failed to make the connection between the immediacy of these risks and the processes in place to manage them. 

In fact, when asked about reviews of data breach contingency plans directors gave their boards extremely low marks. Even worse, of the 23 business processes directors were asked to rank the ones related to cyber security ranked dead last.

These failures to comprehend and effectively manage cyber security issues at the board level are a serious problem. An IBM study found that the average cost of a data breach is $4 million. A recent Cisco study  found that 50 percent of companies faces public scrutiny after a breach, 22 percent of them lost customers, and 23 percent lost business opportunities.

Cyber security can be a complex and challenging topic for non-technical executives but there are many concrete things boards can do to prioritize these issues. Here's a list of five things every board should do today:

  • Make cyber security briefings a regular agenda item at board meetings.
  • Bring in an expert; if there isn't a cyber security expert on the board bring one in or hire an external expert.
  • Make sure these risks are evaluated as business risks; resist the temptation to consign them to the audit committee.
  • Hold executive management accountable for evaluating cyber security risks maintaining response plans.
  • Build cyber security into the organization’s long-term business strategy and review it whenever new business initiatives and product or service are evaluated.

None of these recommendations is surprising — there is a lot of information available to boards that want practical advice on how to address cyber security issues. The real cyber security questions for most organizations are connected with leadership and prioritization. I've been sitting on boards (and executive teams) advocating for over 17 years and I've found that the answer to these question determine how effectively an organizations adapts to the evolution of cyber security threats.


As CIO and chief information security officer at Venafi, Tammy Moskites helps CIOs and CISOs fortify their strategies to defend against increasingly complex and damaging cyberattacks on the trust established by cryptographic keys and digital certificates. Tammy draws on her professional experience, leadership capabilities and domain expertise as a CISO at Global 250 companies to help fellow CISOs defend their organizations. There is often a gap that cybersecurity teams miss in securing keys and certificates that leaves the door open for cybercriminals. Tammy’s leadership and experience will help other CISOs close those doors.

Prior to joining Venafi, Tammy served as CISO at Time Warner Cable, where one of her many responsibilities was to re-engineer and centralize the information security and IT compliance organizations to support global operations. Tammy also held the CISO position at The Home Depot, where she provided strategic executive and collaborative business direction for several teams, including identity and access management, IT compliance and regulatory, e-discovery and forensics, encryption and more. Tammy's other relevant security experience includes stints at Huntington National Bank, Complete Information Technologies LLC, BankOne, Nationwide and Aetna.

Tammy is also a leader in several important IT security organizations, including ISSA, ISACA, InfraGard and the Information Risk Security Board. In 2013, she was recognized as one of the Top Women in Technology by CableFax magazine and as one of the 25 finalists for the Evanta Top 10 Breakaway Leader Awards. In 2010, she was the winner of the Information Security Executive North America People’s Choice award. Tammy is a member of the advisory boards of Box and Qualys, and she provides strategic guidance to other industry-leading security vendors.

The opinions expressed in this blog are those of Tammy Moskites and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.