Why CEOs Need To Be Engaged In Cybersecurity
Listen to Episode 28:
Episode 28 Transcript:
Chris Curran: Growth Igniters Radio, episode 28: Why CEOs Need To Be Engaged In Cyber Security.
This episode is brought to you by Business Advancement Incorporated, enabling successful leaders and companies to accelerate to their next level of growth. On the web at www.BusinessAdvance.com. And now, here’s Pam and Scott.
Pam Harper: Thanks, Chris. I’m Pam Harper, Founding Partner and CEO of Business Advancement Incorporated. And with me is my business partner and husband, Scott Harper.
Scott Harper: Hi, Pam. I am so happy to be here again with you today. If this is your first time listening out there, the purpose of Growth Igniters Radio is to spark new insights, inspiration and immediately useful ideas for leaders to take themselves and their companies to the next level of success. So Pam, what’s on line for today?
Pam Harper: We’re going to talk about why CEOs need to be engaged in cyber security. This is such an important topic, given all the cyber security threats that are going on out there. In fact, you’ll recall that in episode 20, Peter Gleason, the President of the National Association of Corporate Directors, called out cyber security as one of the top issues that corporate boards and CEOs need to address to ensure their company’s safety and financial well-being.
Scott Harper: That’s right. NACD has published a blue ribbon panel report on that very thing.
Pam Harper: That’s right. But there are still so many misconceptions out there about cyber security and the role that CEOs need to play. That’s why we’re delighted to have Mahesh Muchhala with us today. Mahesh is founder and Chairman of award-winning DataMotion Incorporated. Since 1999, DataMotion has provided secure data delivery technology such as email and forms encryption, and has enabled organizations of all sizes to reduce the cost and the complexity of delivering electronic information to employees, customers and partners in a secure and compliant way. In fact, millions of users worldwide rely on DataMotion to improve operational efficiencies and reduce costs all while mitigating security and compliance risks.
Now, Mahesh has been a serial entrepreneur since 1975. In addition to his role at DataMotion, he’s also an active angel investor. He is actively involve in professional organizations and is a member of a number of angel investor networks. Mahesh, welcome to Growth Igniters Radio.
Mahesh Muchhala: Thank you, Pam. Thank you, Scott. Thanks for giving me the opportunity.
Pam Harper: Well, it’s our pleasure. We want to start out talking a little bit first about you and DataMotion. Why did you start DataMotion? What is the mission of your company today?
Mahesh Muchhala: DataMotion, I consider it as a constantly evolving company. It’s a continuously start-up company. We started in data security in 1999 based on securing a lot of communication going on over the internet, which was basically email encryption and email security. Over the period since, we have been continuously evolving into all sorts of security for data exchange over the open internet. That includes electronic forms, electronic file transfers, bulk emails, marketing data − everything.
In the last three years, we evolved our technology into healthcare IT, where under the new requirements for converting your health data into an electronic format, security has become of paramount importance because of the electronic nature of the health information. Now, we are one of the leading providers in healthcare security for a lot of electronic health exchanges.
As you see that from one area to another area, DataMotion has been constantly evolving and covering more and more different fields, different types of data transfer over the open internet, and providing compliance under the large number of regulations that are coming out for various type of data exchanges.
Pam Harper: That’s in response, Mahesh, to all the various types of cyber attacks?
Mahesh Muchhala: Yes. Cyber attacks are constantly a threat. As you know, the nature of our data has changed from being hard copy data into an electronic format. Data has become very, very fluid. It can be copied. It can be distributed at a lightning speed. The conversion of the data into electronic format has made the thieves very, very efficient. Increasing the cyber attacks has also become a pervasive damage to corporations because it is quite easy for these hackers to break into a lot of systems, because they’re all connected through an open internet.
The basic requirement for companies, for individuals is that the data that they have in electronic format should be stored in a manner that, even if it is stolen or copied, it cannot be used. Basically, keep the data encrypted and protected by passwords and different formats. That is why our type of technology constantly keeps evolving.
Scott Harper: Very good. Now, one of the questions that we’ve gotten asked a number of times when we talked about cyber security is, “This is an IT thing, right?” We don’t think so. What is your view about what the CEO, senior executives and the board members [need to do] … How should they be engaged in cyber security?
Mahesh Muchhala: Fundamentally, if somebody says that this is an IT area − yes, it is an IT area, but the security part is not simply an IT issue. For example, sending an email and sending my health record over an email is an IT act. To make sure that when I send my health information over an email, I send it in an encrypted format is my awareness, is an education that the company is giving to the employees. That, “Hey, if the data contains sensitive information, make sure it is encrypted and then you send it.” Encryption is, again, an IT part. Email is, again, an IT part. The knowledge and the understanding that this is for the function you should do is where the policies, procedures and execution of those policies becomes a corporate responsibility and a corporate requirement.
Scott Harper: Really, at its essence, IT security or cyber security − information security should be part of the culture of the company, and that does come from the top.
Mahesh Muchhala: That’s exactly right. That is why CEOs and the board must be very much aware of it. Why should a CEO should be concerned about cyber security? The simple answer would be because he’s a CEO. He should be concerned.
Scott Harper: That’s the life blood.
Mahesh Muchhala: It’s just the title that he’s got. With that title comes that fiduciary responsibility. Yes, the CEO needs to be aware about these things. More importantly, along with the CEO, the entire board and the governance should be aware that the damage that a security breach can cause is something that you can not foresee. It can be in millions of dollars. Sometimes, for small companies, it can ruin the company. It can close down the company. Big companies, if it is Home Depot and Target or it is Anthem or Sony, they can survive after the attack because of their own resources. For small companies − the damages, if they run into like half a million dollars, $1 million dollars of cost, the company can go bankrupt. Therefore, CEOs need to be very much aware what needs to be secured, why it needs to be secured, and how it has to be kept secured so that employees understand that part and they implement that part very easily.
Pam Harper: Absolutely. We 100 percent agree with that.
We’re going to take a quick break right now. When we come back, we’ll talk more with Mahesh Muchhala, President and Chair of DataMotion, about company cyber security and the CEO’s role in increasing cyber safety. Stay with us.
Scott Harper: You’re listening to Growth Igniters Radio with Pam Harper and Scott Harper. Brought to you by Business Advancement Incorporated, on the web at BusinessAdvance.com. We enable successful companies to accelerate to their next level of innovation and growth.
If you like what you’re hearing today, spread the good word. Go to www.GrowthIgnitersRadio.com. Select episode 28, and use the share links for Facebook, LinkedIn and Twitter at the top right of the page to tell your social media community all about us. Use #GrowthIgniters. This will help extend our reach to all of the people who can benefit from this series.
Pam Harper: Welcome back to Growth Igniters Radio with Pam Harper − that’s me − and Scott Harper. Scott and I are talking today with Mahesh Muchhala, who is founder and chairman of award-winning DataMotion, about the growing importance of cyber security to companies of all types and sizes. Mahesh, how can people find out more about DataMotion and about you?
Mahesh Muchhala: DataMotion, you can visit our website. There is a ton of information there. It is www.DataMotion.com. In particular for the healthcare IT group for people who are very much involved in protecting personal health informations, for themselves, for their patients, please visit www.DataMotionHealth.com..
Pam Harper: Thank you very much. Now, you laid out in the first segment some very compelling top and bottom line reasons why CEOs and boards need to become so involved in cyber security. Let’s talk a little bit more about this. How do you determine a company’s cyber security risk?
Mahesh Muchhala: The risk that a company is facing is generally … First of all, it is very much dependent on what the company is all about. What type of data they store. There’s not a problem for a retail store that they may have credit information about their customers. A hospital will have patient information. A college − university has got the student educational records. These are considered highly classified and highly sensitive data about different individuals. Depending on the type of data that a company’s major data banks are having, the risks can be different.
In order to understand what sort of a risk the company may face, the best bet would be for them to use a well-reputed professional security assessment because, it not only depends on what the data they have, but how the data is handled and communicated, how the data is managed internally. While the data is being exchanged with outside partners, what are the means of data exchange they’ve adopted? For example, if there were secure mail, they use certain type of encryption or tokens. These are the important factors. What sort of policy and procedures they have in place to educate their employees on an ongoing basis, for the new hires for them to understand the risk involve in the data being handled by the company?
The best part is continuous vigilance. It is the duty of the CEO, the Chief Information Security Officers, and even for the board governance to make sure that the policies and procedures are established and followed. Review the logs of different activities on a regular basis. It can be weekly, monthly, quarterly but it is required to understand and make sure that whatever has been put down on a piece of paper as a policy is actually being implemented.
Scott Harper: That’s right.
Mahesh Muchhala: This is the biggest thing that is required. On top of all of this, consider how to transfer your risk. The basic most fundamental tool of transferring your risk is having cyber security insurance. Make sure that you carry proper insurance which is commensurate with the type of data and the risk involved with that data. You carry cyber security so that, beyond certain limit, insurance kicks in and lot of your monetary risks are transferred to the insurance companies so that you are not completely bankrupted by the damages that may happen sometime.
Pam Harper: You make a good point. Now, just because a company hasn’t had an incident … Sometimes we hear people say, “Well, we’re safe because we haven’t had an incident.” What do you say to do that?
Mahesh Muchhala: Well, congratulations that you don’t have incidents. There’s no harm about that yet, but don’t fall asleep on that point. It will be better that you understand that, yes, I did not have any breach, whether it is luck. At the same time, I implemented these policies. The best tool will be that something would have gone wrong yesterday but, because we have taken these actions, it did not go wrong.
If you come across such an incidence, you’ll know that your policies and procedures and your processes are safe. It requires continuous monitoring. Just because you don’t have an incidence is not a reason to be relaxed about it. Keep your vigilance up on your policies and processes.
Scott Harper: That just sounds very prudent. Now, just a couple of days ago, Pam and I were talking to a CEO who said − I’m paraphrasing − “We’re a small company. We’re little. We’re not a big high profile target or whatnot, so we’re probably not at a very high risk of a cyber attack.” What do you say to that?
Mahesh Muchhala: Well, I don’t know what type of business they are in, but …
Pam Harper: Healthcare.
Mahesh Muchhala: The gentleman should not sleep. He should not sleep over that it is a small company. The problem with the healthcare, yes, is what can go wrong? Then the various federal as well as state and local regulations, which is there to implement … Just a process of breached notification requirement and the consumer risk mitigation requirements under the law are so burdensome that the cost can go very bad. A particular reason is that you are small, maybe your revenue is $5 million and you are making $1 million profit. If you get a half a million dollar of security breach expense, it can imbalance your finances significantly. Yes, the amount will be small. The amount for Target was, just a breach notification and the remedial action, the monetary cost was $147 million.
Pam Harper: Oh, my gosh.
Mahesh Muchhala: The loss of business could have been another couple of hundred million dollars. Target can bear that cost. But if a small company, which has a revenue of three or five million dollars or $2 million and has to come out with a quarter of a million dollar in legal fees and litigation cost − I believe that the company can go bankrupt or can have serious financial troubles going forward. The biggest problem will be that the small companies can be discarded very quickly, so he can lose his customers very fast.
Pam Harper: Now, they think they’re off the radar is what it is, Mahesh. They think that because they’re small, no one is going to notice them.
Mahesh Muchhala: That is definitely a good point. Yes, the people will not be noticing them for that particular reason. At the same time, disgruntled employees … There are a lot of internal reasons why certain breaches happen. All the breaches are not cyber attacks from Eastern Bloc countries or from outside of USA. There are lot of cyber attacks and other types of attacks which happen here locally. I think somewhere I read as much as one-third to half of the small company security breaches are caused by their past employees or disgruntled employees or a partner or somebody who wants to take a revenge on the company. That’s a very big fact.
One of the New York State reports that I heard somewhere stated that the small companies’ cost are increasing significantly. Another report said that, nowadays, the average cost of a breach has increased from $5.2 million to $6.35 million per breach incidence. This average cost takes a Target on one end, and it takes the small company on the other end and averages it out. It can be a significant cost. We need to be very much aware of it. If something does go wrong, what are your options? The smaller the company, please keep a better insurance so that, financially, you don’t get ruined.
Scott Harper: So the risk may be smaller from outside attack, but the impact could be so huge that it just makes sense to be more alert and button up the door.
Pam Harper: Absolutely. What this really does, is if anybody who’s listening had any doubts about whether they could be susceptible, I think you’ve made it pretty clear there’s some big top and bottom line impacts to this.
Mahesh Muchhala: That’s exactly right.
Pam Harper: We’re going to take another quick break. When we come back, we’ll talk more with Mahesh Muchhala about three things you can do starting now to evaluate and boost your company’s cyber security. Stay with us.
Scott Harper: Is listening to Growth Igniters Radio providing you with new insights, inspiration and useful ideas that you can use to take your company to its next level of success? Well, if so, imagine how much more you and your company could get from a highly customized in person Growth Igniters event as part of your next company offsite. Go to GrowthIgnitersRadio.com. Click “contact us” at the bottom of the page, and we’ll get back to you as soon as we can to discuss how we might best help you achieve your most important goals.
Pam Harper: Welcome back to Growth Igniters Radio with Pam Harper and Scott Harper. Over the last two segments, Scott and I have been talking with Mahesh Muchhala, founder and chairman of award-winning DataMotion, about the growing importance of cyber security to companies of all types and sizes. Mahesh, can you tell us again how people can find out more about DataMotion and about you?
Mahesh Muchhala: For DataMotion, you’ll get a lot of information and white paper about the requirement of security and implementation security on our webiste www.DataMotionHealth.com and www.DataMotion.com.
Pam Harper: Over the last two segments, we’ve been learning a lot about the top and bottom line impact of cyber security. Can you tell us about a few of the key elements of a strong cyber security strategy?
Mahesh Muchhala: I would emphasize three main points. One is preparedness, which includes having the policies in place, having the employees fully aware of the policies and educate them how to use those policies and what it means. That is the first part. The second part is to have an emergency response team. Again, this depends on your type of business and the size of your business. In healthcare and education, in financial institutions, these things are very, very critical. You need to know, when some breach does happen, how to respond to the breach, and who is responsible for that breach response. This is what we call emergency response team. Third, and most importantly for your financial protection, please be prepared with a good and detailed policy for cyber insurance coverage.
Scott Harper: Now, you mentioned this earlier, but I think it really bears repeating, Mahesh, that although a lot of these technical issues are IT centric, the CEO and the board and the executive team really have a role in building this kind of compliance into the culture so that people don’t see it as, “Well, that’s somebody else’s responsibility.” It’s really our responsibility.
Mahesh Muchhala: Yes, that is correct. This is particularly true for certain areas of the industry as we mentioned: healthcare, education, finance. These are the areas where the risks are high. It is a cooperative combined effort right from the top down to significant IT systems and IT system management groups.
The board also needs to be aware. The Board need not take the stand that we are not vulnerable and we never had an incidence, therefore, the demands that these IT guys are making are unnecessary. Try to understand what the IT guy is telling you, because the technologies are evolving continuously. What you installed or what you implemented three years back might have been obsoletde by now, and you need to replace it. It’s the cost of doing business.
Therefore, the board has to be aware of what are the implications of all systems. How to continuously improvise on what is done. Secondly, in response, the board must ask those IT teams and the chief information security officer, “Hey, tell us what you’ve done. Show us some of the logs. Show us the activities and show us actual reports to see that we spend money on is working. It is being implemented and that we have a reasonable protection.” Nothing is absolute ,but we have a reasonable protection. In case something does go wrong, that we are prepared to face the music.
Pam Harper: Absolutely. Mahesh, these are all fabulous ideas and things that people can really do as soon as they get off of this episode. Do you have any last thoughts as far as what CEOs need to do to mitigate their company’s cyber risk?
Mahesh Muchhala: Be prepared and be vigilant. You do not have to over react to anything. You do not have to give it an unnecessarily high importance, but it is a requirement that should be duly considered and properly implemented with the team. Take the team with you. The team can guide you, and you can lead the team. Try to do it as teamwork and be very, very vigilant about it.
Pam Harper: Thanks again for being our guest today on Growth Igniters Radio.
Mahesh Muchhala: It has been a pleasure, Pam and Scott. I really appreciate the opportunity. Please feel free to contact DataMotion if you need any more information. Thank you.
Pam Harper: Absolutely.
Scott Harper: Thank you, Mahesh, and thanks to you out there for listening to Growth Igniters Radio with Pam Harper and Scott Harper. To check out resources related to today’s conversation, share on social media, find out about upcoming episodes or open a conversation with us, go to www.GrowthIgnitersRadio.com and select episode 28.
Pam Harper: Until next time, this is Pam Harper…
Scott Harper: And Scott Harper…
Pam Harper: …wishing you continued success and leaving you with this question to discuss with your team:
Scott Harper: Are we doing enough to secure our digital assets and communications against malicious attack? How do we know?