Close this search box.
Close this search box.

What Equifax Can Learn From the Military About Surviving a Data Breach

The ability to act decisively, communicate clearly and keep teams focused is critical to leading successfully in and through a crisis. But even more critical is how they have “made ready” the organization long beforehand.

Equifax heads to Capitol Hill this week, where former CEO Richard Smith will testify and detail the company’s missteps in response to the massive data breach that exposed as many as 143 million people.

That Equifax’s poor crisis response made an already bad situation worse cannot be denied. But the bigger lesson for Equifax – and the dozens of government organizations and companies who have faced similar security breaches in recent months – is that to a large extent, their future has already been determined by how prepared (or rather, unprepared) they were before the crisis occurred.

As CEOs, there is no doubt that the ability to act decisively, communicate clearly, and keep teams focused is critical to leading successfully in and through a crisis. But even more critical to how CEOs respond in crisis is how they have “made ready” the organization long beforehand.

The concept of “readiness” is not used widely in the business world, but it is ingrained in our military services. And business leaders can learn a great deal from the military about preparing for both foreseeable and unforeseeable crises.

“critical to how CEOs respond in crisis is how they have ‘made ready’ the organization long beforehand.”

Measuring and improving military readiness has been refined to a science. In fact, being ready is one of two things that our military forces do on an ongoing basis. They are either doing their mission, or they are preparing to do their mission. That mission could be anything from warfare to disaster relief, but in most cases, it involves some sort of a crisis.

To be prepared ahead of time, the military does deliberate planning to ensure they have the people and resources needed to execute assigned missions. The ability to “be ready” for a specific mission, or provide a specific capability when needed is the driver behind both near-term and long-term resource allocation decisions, as our forces must be concerned with both “current” and “future” readiness.

What does military readiness have to do with Equifax and leading in crises? The bottom line is this: if we as leaders don’t think deliberately about real risks in our environment, and take reasonable measures to be ready should those risks occur, then it is unlikely we’ll be ready to lead the organization through the most catastrophic of those scenarios. Asking and answering some key questions can help raise your level of readiness to respond to an Equifax-like crisis.

What are the risks to our company? How likely are they to occur? If they do, what would the impact be? We may choose to assume a risk and mitigate it if the probability of occurrence is extremely low, or the impact is minimal. Our military forces incorporate threat analysis in their planning. When it comes to cyber-attacks, each organization should assess threats and risks for themselves, but one need not look far to see that the likelihood of occurrence is high, and the business impact for many companies can be catastrophic.

Are we aligned to effectively respond to a crisis? Do we have the right organization and processes in place? In many cases, crisis response requires a shift in alignment, priorities and thinking. That shift should be pre-planned. For example, in response to a catastrophic earthquake, the Navy redirected resources to support disaster relief efforts. This required temporarily redeploying ships, forces, and communications infrastructure. At multiple levels of command, operations “cells” or teams were established to focus on specific areas of concern, such as communications, logistics, and people. At the center of this crisis response structure was a current operations cell, tasked with coordinating across the other teams through communications and reporting, and thus to ensure that common “situational awareness” was maintained by all. In other words, keeping everyone on the same page.
For non-military scenarios, the structure of the teams would vary depending on the organization and the crisis, but the construct is relevant. In responding to a corporate cyber-attack like the one Equifax experienced, cells might consist of a damage assessment team to determine the extent of the breach, a cyber team to assess how the breach occurred and to determine the appropriate response. There would likely be a team to determine regulatory and legal compliance, and one to handle communications with the media and with impacted customers. And of course, some kind of command and control team to keep all the actions aligned and all parties informed.

Do we have the right equipment and facilities in place, now and planned for the future, to ensure we’re able to work in crisis? For the military that includes ships, planes and military supplies including weapons, ammunition, combat vehicles, and maintenance tools and equipment. But it also includes computers, networks, business systems and facilities.
It may be that our planning for certain crises indicates we need an alternate worksite in the case of a disaster, or that we need additional computers, network capacity or phone lines for call centers to respond to customer inquiries. Recognizing those needs when in crisis is too late.

Most importantly, do we have the right people? Do they have the right experience, knowledge, skills and abilities? If not, what can we do to close the gap? In the military that ‘gap’ in personnel readiness drives recruiting and training efforts. Compensation actions can focus on retaining key skill sets or enticing people to move to a hard-to-fill position. But again, if that team isn’t in place when the crisis occurs, it’s unlikely they can be assembled in the moment.

There is one final piece to the readiness puzzle that the military readiness system does not formally measure, but it is no less ingrained in their culture. Principled leadership ahead of crisis is possibly the single most important determiner of success in a crisis. The questions we must ask ourselves here focus on values and culture. Do we, individually and collectively, have a core set of values that guide our actions day-to-day – honesty, integrity, accountability, urgency? Do we cultivate relationships within our organization? Our customers? Our stakeholders? Do we value individuals and diversity, foster trust and work toward a culture of openness and transparency?

If present in an organization prior to a crisis, these foundational leadership elements dramatically improve the odds of successfully navigating the storm. Absent these principles, we’re like a ship without a rudder. When the storms come, the ship will be lost.
John F Kennedy once remarked that “when written in Chinese, the word ‘crisis’ is composed of two characters. One represents danger, and the other represents opportunity.” We have an opportunity to learn from Equifax and others, and to “make ready” ourselves and our organizations for the crisis that will come.



  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.