Over the past few weeks we are witness to the sordid corporate governance drama being played out as a result of the summary dismissal of Mr Cyrus Mistry as Chairman of the Tata Group with the appointment of Ratan Tata as the interim Chairman. It was not a graceful action, as would have been expected from the House of Tatas, who are well known for their standards of ethics and governance.
However, in India a lot of actions are explained by the phrase “Chalta Hai” (learn about this attitude here) which loosely sweeps all the muck under the carpet and the powerful one sits atop the heap.
The dregs of governance scraped by the “House of Tata” are not new in the national ecosystem. We have many examples of bad governance that sully the nation’s reputation, and, to name a few – Kingfisher Airlines, Satyam Computers, National Spot Exchange Ltd (NSEL), Financial Technologies (Jignesh Shah), Suresh Kalmadi /Commonwealth Games, N Srinivasan / BCCI, Harshad Mehta and his BIG banker friends. Our venerable national regulatory institutions and Ministries (like RBI, SEBI, IBA, MEA, TRAI, DOT, FinMin) are not draped in white linen either and usually set the tone for such thinking and the no-one-can-touch-me or I-am-connected attitude of these all-powerful bad governance players.
The slow pace of judiciary plays it’s own role.
These are events I quote from memory and they stand out because all the actors brazenly and shamelessly stood by the lies and shady actions perpetrated by them. I wonder how they became leaders of their world and it must be some psychological illness which led them to their own dirty end. However, I must also say it is not the end of the road and there are
I lead to my next question, when governance is suspect who will take responsibility for cybersecurity. It is now well established that a cybersecurity breach can cause losses – direct or indirect; and this has bearing on the bottomline as well as the reputation and/or existence of the organization.
The usual (age old) practice, as practiced by mankind, is to shoot the messenger and the aftermath of a cybersecurity incident is no different. Once the recovery is done, usually, organizations lose no time to fire the CISO and the security team giving the impression that the breach was their fault.
Unfortunately, nothing can be far from the truth, but no organization will stand up to scrutiny on this count.
This is where there is the need for the Board to ask tough questions and establish the ACTUAL cause behind the cybersecurity incident. No one should be surprised if this trail leads to the office of the CFO, or, the CEO, or, the Budget Committee. Lack of funds may have forced the Security team to cut corners and live with weak defences. Lack of top management support is the cause for failed awareness programs which lead to the basic errors that have consumed the reputations of organizations like RSA, SONY, Lockheed Martin.
It is standard practice to conduct a Root Cause Analysis (RCA) in the aftermath of any disaster to ascertain the cause, extract learning for future avoidance, and to update existing controls. However the usual RCA looks at carrying out an analysis of the operations but not the business / strategic drivers that may also be contributors to the incident.
In today’s work scenario, it is bad governance on the part of management in not supporting cybersecurity wholeheartedly and the responsibility for an incident will have to be shared by the board or those persons who opposed budgetary allocations and did not permit their team members to attend awareness sessions. It will also be the responsibility of those managers / CxOs who do not recognize the need to consult with their Security teams for minor and major business changes. It will also be the responsibility of the managers / CxOs who have egos so big that they consider themselves to be impenetrable or think that they have “nothing” of value to a malicious cyber criminal.
It is not about saying that “it is time to change our thinking”, because this statement can be termed passé and is more of a cliché than a call for change. It is time we kicked ourselves for still clinging to the old thinking while we carry and use cutting edge technology.
Comments and feedback is welcome…