In our last post, the CEO and the General Counsel discussed how they were going to preserve the hospital’s reputation. The CEO was determined to find sacrificial lambs quickly and to communicate that things will be done differently now. She wanted actions to be well in place before the hospital had to go public with the breach.
The next morning, the CEO called the CIO into the office and asked how he was going to focus resources and show management’s commitment to addressing the breach. The CEO was clear they needed ”The right stuff” on the team and asked him to come up with an action plan for the resources and at least maybe new talent to punch up their security team. The budget was also the CIO’s to identify.
The CIO had prepared for this moment, though he wasn’t happy about it. He replied to the CEO,
“The breach plan we’ve activated calls for bringing in talent from our outsourcers and we’ve talked in the past to some specialists. We are working since yesterday on Action Plan Step 1 that calls for identifying the technical breach and shutting down possible exfiltration routes.
“Holly our Director of Security has been a great employee, but this happened on her watch. I can’t see retaining her long-term. Let’s elevate the #2 security person as an acting Director. We’ll make Holly our point person full time on the breach – she’ll be working that much on it anyway. Holly will get a new title like “Director of Special Projects”. We’ll promise #2 to make it permanent if everything works out. Let’s do the same with the Security tech team lead and the Employee Security education. I’ll put money towards a Senior Security Architect. Someone’s whose background will look great in announcement.
We’ll reach out confidentially for outside help today, and Holly can coordinate those talent resources.”
The CEO nodded and issued a caution.
“We may not be able to afford much help from outside. You’ve overspent that budget a lot already this year. Don’t get anything started without the CFO approving the spend.”
The CEO smiled and sent the CIO out. After the meeting she called the HR VP and informed her of the plan. She asked to have the HR manager, Helen, ready to help the CIO.
The CIO wasn’t happy. All that planning and he’d been told that there might not be enough money to actually perform. What did they expect? Didn’t the C-suites want this fixed according to all they had planned and prepared for?
It’s easy to say “Life isn’t fair” but a lot harder to live it. The CIO gets to experience a live example in the upcoming post.
Next Up – The Tough News
Comments