Tata chair Natarajan Chandrasekaran faces a major cybersecurity crisis.
AFP via Getty Images
Questions swirl and anger boils about an ongoing cybersecurity crisis that forced the ongoing, near month-long shutdown of Tata’s Jaguar Land Rover UK production.
Factories with 1,000 daily-vehicle capacity idle as the premium automaker struggles to reboot manufacturing, scheduling and communication technologies. Initial lost sales estimates now top $1.3 billion. The deep reach into dealer business, supply chain partners and consumer markets decimated Q3 financial targets, choked supplier cash flow, cratered customer expectations and triggered government investigations.
Such headline-seizing breaches often widely prompt the worthwhile, but wrong, initial handwringing digital defense question “do we understand and can we afford prolonged business interruption?” Many senior leaders don’t and can’t.
Business pundits, cyber defense sales teams and insurance actuarial wonks rushing to quantify and tally the losses can make that case. A better question is “do we have meaningful stewardship-minded governance ready and resilient to face cyber risk?”
Non-answers are quite telling, as truth resides in uncomfortably addressing incentives, incompetence and indifference. In Tata’s case, add (lack of) independence to the list.
Let Us Prey
Two highly questionable cybersecurity governance actions show Tata failed its pledge to guide “business decisions while ensuring financial responsibility, ethical conduct, and fairness to all stakeholders including employees, customers, investors, regulators, suppliers and the society at large.”
First, Tata Motors reportedly outsourced cybersecurity to Tata Consultancy Services (TCS). Was that decision to override arm’s-length alternatives driven by cost savings, strategic positioning, service offering piloting needs or genuine expertise? That self-dealing suggests it’s unlikely the board ever considered its stakeholder platitudes.
More troubling, Tata allowed three directors to oversee both sides of related party transactions. Natarajan Chandrasekaran (Chandra) chairs the boards of Tata’s holding company and every subsidiary. Maybe worse, two of the other five non-executive Jaguar Land Rover directors, tech executive Al-Noor Ramji and supply chain maven Hanne Sorenson, also serve on TCS’s board.
Aside from Chandra, Ramji is likely to receive the most scrutiny as litigation ensues and regulatory investigations open. He ostensibly satisfies the widespread clamoring for director cybersecurity expertise, as his resume boasts senior IT leadership roles at major companies including Prudential, British Telecom and UBS. However, Ramji’s dual appointment flouts independence and compromises risk assessment decisions.
That’s perilous in the digital era, as often hackers spot weaknesses long before victims.
Truth And Consequences
The ongoing crisis is massive and its aftermath will be long, difficult and far-reaching. While recovery, resolution and remediation will likely take years, here are five immediate lessons from Tata’s Jaguar Land Rover cyber governance challenges:
Lesson 1: Board independence is non-negotiable.
Courageous c-suites demand exceptional boards. Cybersecurity expertise means little if incentives cloud critical vulnerability assessments and responses. Competencies and independence must accompany credentials to deliver meaningful stewardship. As a minimum, governance structure design must be defensible — before issues arise.
Lesson 2: Cybersecurity outsourcing needs extraordinary oversight.
Cost savings and operational efficiency cannot supersede security when it comes to protecting the business value chain. Cybersecurity outsourcing decisions must be driven by genuine expertise advantages, not just financial, strategic or kinship considerations.
A cyber breach has halted Jaguar Land Rover UK production for nearly a month.
SOPA Images/LightRocket via Getty Images
Lesson 3: Cybersecurity crisis plans must be thorough and tested.
Modern cyber attacks don’t just target select workflows — they can cause total operational paralysis. Senior leaders must ready “kill switch” authority, business continuity procedures and recovery plans. Backups proved inadequate when Tata’s entire manufacturing, scheduling, and communication infrastructure went offline. Restarting production will not be easy with cars abandoned in various assembly stages.
Lesson 4: Cyber breaches spur cascading stakeholder damage.
The downside extended far beyond Tata’s factories, disrupting dealer networks, supply chain partners and customer perceptions. Vendors are contemplating layoffs and bailout loans. Those same suppliers complained that poor incident visibility and unclear updates fed uncertainty and muddied financial loss projections. Simply, no cyber risk assessment is complete without substantive consideration of key stakeholders.
Lesson 5: Immediate costs do not mirror real business consequences.
Senior leaders cannot afford to underestimate the business consequences of cybersecurity failures. Boards and executives who still view IT controls as primarily a a compliance expense jeopardize their organizations and fuel avoidable exposure to business interruptions, customer defection, reputation damage and long-term competitive struggles — all eclipse operational costs and regulatory penalties.
In sum, familiarity is no substitute for experience. Revenue-thirsty consulting firms and pocket-lining directors often demonstrate that, but rarely bare the consequences.
Tata may soon be a major exception.
The Clairvoyant
Intriguingly, the first page of the TCS annual report proudly cites company founder Jamsetji Tata asserting, “In a free enterprise, the community is not just another stakeholder in business, but is in fact the very purpose of its existence.” Whether that 19th century wisdom proves prophetic or superfluous in today’s predatory cybersecurity world depends on decisive senior executives, not leaders-in-title-only.
Who’s driving on the “other” Abbey Road?
