lolloj - Fotolia

Boards not asking right security questions, says Dido Harding

Former TalkTalk CEO says boards are still not asking the right cyber security questions, do not understand that they should be making cyber risk decisions, and are not communicating with engineers

The best decision that TalkTalk’s board made after finding the company had been breached by cyber attackers in October 2015 was to tell customers that their data may have been breached, says former CEO Dido Harding.

“My only regret is that we did not tell about 10 hours earlier when we first decided that it was the right thing to do,” she told the opening session of Infosecurity Europe 2018 in London.

Harding credits the decision to tell customers that their data may have been breached with TalkTalk’s success as a business after the breach.

“The Metro Police did not want us to go public, but we decided that we had to tell customers because that was the best way to protect them from scammers,” she said.

“The big learning for me as a CEO was that if you look after your customers’ interests, they will reward you.”

This was backed up by data which showed that although TalkTalk’s reputation did take a dip initially, three months after the breach it was stronger than before.

“No CEO would wish for a cyber attack, but TalkTalk came through the breach a better, stronger business that was more trusted by its customers than before,” said Harding.

There were three other key learnings from the cyber attack, she said. “First is that boards are asking the wrong questions, like ‘are we OK?’ and ‘is our cyber security good enough?’.

“Because no company can ever be 100% cyber secure, the right questions are: What are the risks? What risks can we accept? What risks do we need to mitigate?”

Read more about TalkTalk

  • TalkTalk has overhauled security since its controversial data breach in 2015, according to CTO Gary Steen, and is investing in technology to beat its rivals on customer service.
  • The Information Commissioner’s Office issues its largest ever data protection fine after more than 150,000 customers had their data exposed by TalkTalk breach.
  • Internet service provider TalkTalk throws down the gauntlet to its rivals by making a number of changes to its packages that it claims will put customers’ interests first.

Harding said the second lesson relates to the fact that the most difficult decision throughout the cyber breach was deciding when to bring its customer-facing systems back online.

“My question to the engineers was: What risks will we be taking if we put those systems back online? I realised that we could only go ahead when the cyber risk was lower than the business risk of being offline and that cyber risk needs to be a board decision,” she said.

The third important lesson, said Harding, was that engineers really can communicate in English when they have to.

“We learned that when engineers explain what they do in a way that non-technical people understand, that is when the magic really happens,” she said.

In conclusion, Harding said it is extremely important that cyber security is not allowed to become a scary taboo.

“We can’t make the digital world 100% safe, but we can make it civilised by building the necessary social, moral and legal scaffolding by having the right debates as a society to agree and set the rules of the road,” she said.

Read more on IT risk management

Data Center
Data Management