Glassdoor's 2016 Employees' Choice Awards Highest Rated CEO List includes household names like Marc Beniof, Mark Zuckerberg, and Tim Cook—CEOs of companies that also score high marks for strong security. Is there any correlation between a company's cyber risk profile and its CEO employee approval rating?
Of course, a myriad of elements ultimately make up a firm's cyber risk profile—for example, size and industry, to name a few. UpGuard's Cyber Security Threat Assessment Report (CSTAR) uses external risk parameters (e.g., industry trends and peer environments) alongside key internal parameters—the organization's size, infrastructure data, asset configurations, and exposures—to accurately quantify the collective vulnerability of every server, network device, and cloud service to the risk of breaches.
One element in particular—Glassdoor's Employee CEO approval rating—is a critical measure used by UpGuard to calculate CSTAR scores. Let's revisit the aforementioned top-rated Glassdoor CEOs and their respective companies to understand why.
A quick UpGuard risk assessment reveals the following:
CSTAR scores for Salesforce.com, Apple, and Facebook.
Note the strong CEO approval ratings coupled with strong website perimeter and email security controls to boot. But what about Glassdoor's worst performers, that is—companies that score the lowest when it comes to CEO employee approval?
Let's take a look at three from the bottom of the barrel—Dillard's, Forever 21, and HTC. We gauged their cyber risk with UpGuard's risk assessment platform:
CSTAR scores for Dillard's, Forever 21, and HTC.
Low employee approval ratings for all three CEOs, and for each respective company—correspondingly bad email and website perimeter security. Each firm housed a myriad of security risks, including missing sitewide SSL, leakage of sensitive data, and lack of DMARC and DNSSEC, among others.
Security As an Indicator of Strong Corporate Culture
For HTC, its most devastating blow to-date was not a cyberattack, but a case of corporate espionage: in 2013, the company's VP of Product Design, R&D Director, and Senior Manager of Design and Innovation were arrested for selling key intellectual property to a rival Chinese handset manufacturer. HTC's share prices plummeted following the announcement; 5 employees were eventually indicted for leaking company secrets, falsifying expense reports, and taking kickbacks.
Again, many factors come into play when determining an organization's cyber risk profile. That said, CEO approval rating is often an accurate barometer for a company's internal state of affairs, including matters related to infrastructure security. As the old adage goes, corporate culture is top-down. Bad thinking from leadership breeds similar mindsets amongst managers and workers. Furthermore, a firm that harbors disdain for its leadership is less likely to maintain a culture of strong security—for employees or customers.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.