The ostrich defense is a criminal defendant’s claim of being ignorant of the criminal activities of an associate, which normally the defendant would be expected to be aware of. The defendants seeking this defense claim that all wrongdoing was performed by others, without his/her knowledge or consent. This defense is so named because of the tendency of ostriches to put their heads in the sand in the event of danger.

What to make of the findings of a study conducted on behalf of Nasdaq and cybersecurity technology provider Tanium? The two commissioned a study of over 1,500 C-suite officers and non-executive company directors at Global 2000 organizations across five regions to gauge the state of cybersecurity awareness and readiness. The regions surveyed included the United States, Japan, Germany, the United Kingdom, and the Nordic nations. To an extent the findings are predictable and in line with our current understanding of corporate vulnerability.  Corporate executives don’t understand cyber? No surprise here.  Executives feel their organizations are not prepared to handle a major attack. Of course they don’t, because most organizations aren’t. But, how about this?  Forty percent of the executives surveyed said they do not feel responsible for the repercussions of a cyber attack. If true, this represents a serious challenge.

The suggestion that senior corporate executives do not feel personal responsibility for cybersecurity is baffling. Dave Damato, chief security officer at Tanium, put it this way in an interview with CNBC. “I think the most shocking statistic was really the fact that the individuals at the top of an organization—executives like CEOs and CIOs, and even board members—didn’t feel personally responsible for cybersecurity or protecting the customer data.” Taking this at face value, it suggests that CEOs and other C-suite executives don’t appreciate that a breach could damage the entire business, and have not drawn appropriate lessons from the misfortunes of cyber victims like Target and Sony.

There is, of course, another potential explanation. It may be that senior executives are feeling so overwhelmed by the cyber threat, and so insecure about their organization’s capability to effectively deal with a cyber attack, that they are rationalizing successful attacks as an ordinary cost of doing business, and expecting that customers, business partners, regulators, and shareholders will see the world the same way. The sentiment would be understandable, but would offer scant defense against litigation and/or regulatory penalties. Moreover, taking this logic a step further, it seems executives who do not feel responsible for protecting customer data inevitably will be less likely to do so, and thus their organizations more readily become victims. This would be a classic example of the ostrich defense.

Perhaps it’s useful to bear in mind the ostrich defense has other names—notably the dumb CEO defense, dummy defense, and idiot defense. Just saying.

By Tom Davis, SDI Cyber Risk Practice
April 5, 2016