Bridging the Gap Between Leadership and Cybersecurity: Lessons from John D. Rockefeller to Prevent Data Breaches

John D. Rockefeller once said, “I believe that every right implies a responsibility; every opportunity, an obligation; every possession, a duty.” He suggests that strong leadership holds a tremendous duty to act responsibly and ethically, recognizing that their power and resources come with the obligation to contribute positively to society and ensure the well-being of others.

Data breaches are occurring with increasing frequency due to the rapid digital transformation of businesses, increasingly sophisticated cyber attacks, inadequate security measures, poor resource allocation, financially dependent employees with lower performance and loyalty due to increased stress and high employee turnover rates, and the lack of a comprehensive, integrated, proactive approach to cybersecurity. By adopting Rockefeller's principles of rigorous control, standardization, innovation, risk management, efficiency, and continuous education, organizations can significantly improve their data security posture and effectively mitigate the risks of data breaches.

Rockefeller was known for his meticulous attention to detail and stringent control over his operations. Rockefeller’s businesses focused heavily on standardization to increase efficiency and reliability. Organizations can learn from his model by implementing industry standard frameworks such as ISO and NIST. Strong, clear, brief, implementable security policies guide organizations in ensuring standard practices across employees. Organizations could benefit from a more personal approach to explaining policies and ensuring employee training that leaves employees feeling valued with inspiration to do their best at work. More and more organizations are adopting an employee model that rejects integrated company culture in remote positions where employees struggle to improve performance in rapidly changing positions that promise little job security. This lack of investment in the workforce decreases growth and productivity in the industry.

Rockefeller was known for his innovation and adaptability. Investing in advanced security technologies such as automation, machine learning and AI, or encryption and blockchain allows organizations to innovate new ways to adapt to evolving cybersecurity threats. Similar to how Rockefeller diversified his investments to protect his business interests, we should structure business goals with a thorough understanding of risk to the organization. Regular risk assessments, audits, and proactive incident response plans should address incidents head on through continuous monitoring and alerts that allow them to structure the risk management approach to real life scenarios. 

Cost reduction and operational efficiency require well-informed allocation of resources. Automation and alerts can significantly aid in remembering to update software and certificates, and measuring KPIs using SIEM tools can help the organization respond to the most influential gap in the business process.

One of the things we can learn from Rockefeller’s successful business legacy and mindset is to strengthen education and training strategies to protect sensitive information. This is the true area where employers miss the mark. This is the one section of the organization that should be personable and not automated. It should leave employees with a sense of urgency and responsibility to maintain security in their daily activities. To make meaningful change, organizations must prioritize incentivizing company culture in the workforce to boost productivity. While Rockefeller privately invested generously in education and research and undeniably created jobs in the workforce, he missed the mark in labor rights. A fair and competitive market environment should promote economic freedom with well-informed employees that hold respectable, valued positions in the company. The CMM model of the CISA study guide highlights this misstep by stating, “Level 5 = Optimized is the highest level of control, with continuous improvement using statistical process control. Characteristics at level 5 include the following: Workers become a warm body-style commodity because the rules are so specific that, with little training, almost anyone can perform the tasks. Executives now have the most control. Department managers and workers have almost zero decision authority. A culture of constant improvement is pervasive with a desire to fine-tune the last available percentages to squeak out every remaining penny of profit.” This ideology, if taken to extremes, can lead to worker dissatisfaction and higher turnover rates, potentially contributing to data breaches, inadequate cybersecurity expertise, decreased company loyalty, reduced productivity, and poor resource allocation. 

Organizations have a duty to protect their employees for they form the foundation of productivity in the organization. If they want to see a change, they need to develop the mindset that cybersecurity cannot actually “just be done by anyone effectively”. Teams should have longer term positions where they grow and learn together to improve on their methods for addressing cyber threats and risk over time. An organization that invests in continuous growth with its employees makes a positive impact, innovates, and grows in the industry.

In the event of a breach an organization must notify the public within the legally allowable time period under laws like GLBA, GDPR, and CCPA or they pay a fine. They are required to provide information about the extent of the breach and advice for customers to monitor their credit and protect their information post breach. Unfortunately some organizations choose the fine over following the law when it causes them less financial loss to the institution regardless of the damage it does to the public. The State of Cybersecurity: 2023 Trends” report reveals, “50% of organizations experienced a breach in the past year — the same odds as flipping a coin. Out of those affected organizations, 72% did not disclose the breach when it occurred. Of the 28% that did disclose, the disclosure was limited to “some” of the breach details” (Arctic Wolf, 2023). This suggests that organizations often forgo reporting requirements to save their bottom line or protect their reputation at the expense of the public. This creates an unsafe digital world where organizations do not behave ethically. To promote true change, cybersecurity leaders need to foster an organization that values employees and prioritizes integrity. This is the true way to facilitate change.

While it is essential to address modern cybersecurity challenges with innovative solutions and comprehensive policies, it is equally important to uphold the principles of personal responsibility, market efficiency, and strong leadership. By fostering a culture of accountability and empowering employees through education, fair practices, and longer term positions where employees learn to better adapt and respond to cybersecurity threats, organizations can create a robust defense against data breaches.

References:

Arctic Wolf. (2023). State of Cybersecurity: 2023 Trends. https://arcticwolf.com/resources/blog/why-organizations-are-reluctant-to-disclose-breaches/

Cyber Talents. (2024). Top 15 Cybersecurity Metrics and KPIs for Better Security. https://cybertalents.com/blog/top-15-cybersecurity-metrics-and-kpis-for-better-security

GOV.UK. (2024). SIEM contract: key performance indicators (KPIs). https://assets.publishing.service.gov.uk/media/63a2fc7ad3bf7f375c7d831c/sia-siem-contract-kpis.pdf

Loborec, S. M., & Weber, R. J. (2015). Patterning your department after great leaders: John D. Rockefeller. Hospital Pharmacy, 50(3), 243-246. doi: 10.1310/hpj5003-243 https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4567195/#:~:text=set%20of%20skills.-,John%20D.,honesty%2C%20and%20balance%20in%20priorities.

Nichols, L. (2024). Cybersecurity Architect's Handbook. Packt Publishing.

Tunggal, A. T. (2024). 14 Cybersecurity Metrics + KPIs You Must Track in 2024. UpGuard. https://www.upguard.com/blog/cybersecurity-metrics#toc-6

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more