The chief information security officer (CISO) role has been under increased scrutiny from regulators over the past few years.
This is especially true in the US, where the former CSO of Uber, Joe Sullivan, was sentenced to three years of probation and to pay a $50,000 fine in 2023 after a 2016 breach exposed the data of 56,000 Uber users.
That same year, the Securities and Exchange Commission (SEC) charged Timothy G. Brown, then SolarWinds’ CISO, with fraud and internal control failures.
Speaking to Infosecurity during the RSA Conference 2024, Gerome Billois, a cybersecurity and digital trust partner at cyber consultancy Wavestone, predicted that similar cases could soon happen in other parts of the world, particularly in Europe.
Sullivan, who now runs his own security consultancy, spoke about his experience during the RSA Conference.
He and fellow panelists Charles Blauner, president of Cyber Aegis, and David Cross, SVP and CISO of Oracle SaaS Cloud, shared recommendations for CISOs on how to prevent such extreme situations and protect themselves against legal pressure.
Gadi Evron, founder of Knostic, revealed that Brown was initially invited to join the panel, but his legal advisors convinced him not to.
Why CISOs Have Become the ‘Scapegoats’
Blauner said the pressure induced by the rise in cybercrime is having a ripple effect on CISOs, meaning that success at their jobs is no longer assessed only by their employer but also by the regulators.
“The heat is coming because you’ve got these entities in government responding to the huge rise in cybercrime. It’s not like the old days, when there was an incident and most people wouldn’t notice. When stuff happens today, the whole world knows,” he said.
Sullivan also pointed to the US National Cybersecurity Strategy calling for “shifting the burden for cybersecurity away from individuals, small businesses, local governments, and infrastructure operators, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
He said this new national policy is one reason companies are under more pressure to deal with cyber incidents.
This pressure is then passed on to the CISOs, CSOs or cybersecurity managers and directors.
CISO Tips to Prevent Legal Sanctions
Record and Document Everything
With CISO indictment cases becoming more common in the US, Oracle’s Cross said the first thing CISOs should do is record and document everything so they can show exactly what happened when asked.
He recommended getting as many internal conversations in writing as possible and recording each step taken by the organizations, before, during and after a cyber incident.
Check Where the Responsibility Lies
Cross said it is also essential for CISOs to have clear documentation defining the roles and responsibilities within each organization.
Very few members of the audience, which had a significant proportion of CISOs, raised their hands when asked by Cross who had clear documentation of their role and responsibility.
Blauner said that the question of responsibility can also be solved by better defining the role of the CISO.
“Everyone knows what a CEO or a CFO does and where their responsibility lies, whereas no one has a clear definition of what a CISO is exactly. For the board, they’re the chief cybersecurity officers. For the SEC, they’re the chief compliance officers,” he said.
Organizations could start defining the role of CISOs by answering three fundamental questions:
- Does the CISO have a seat on the board?
- Is the CISO an advisor, a manager or a director?
- Can the CISO manage their own budget, or are they allocated a budget without any say?
“Whatever the answers your organization decides to give, bear in mind CISOs are not business leaders. Security leaders, risk advisors, perhaps, but not business leaders. For instance, whether we have leverage over our budget or not, we don’t make the final decision on how much will be allocated to security. The CEO and CFO do,” Blauner added.
Vet Your Organization’s Cybersecurity Engagements
Sullivan also insisted that in most CISO indictment cases, charges were not so much on security but communication failures.
“In both my case at Uber and the SolarWinds case, the focus of the regulator was on what the companies said, what they promised in terms of cybersecurity,” he explained.
That’s why CISOs should make sure they vet any security-related engagements taken by their organizations – and do so before an incident occurs.
Billois told Infosecurity that CISOs have started looking at any official documents their organization releases that could address security engagements and promises.
“Take annual business reports, for instance. There used to be no mention of security in them. Then, a few years ago, people writing those documents started adding a few lines about cyber, but in most cases, without speaking to the CISO. Now, CISOs must get involved with these statements because they will be held accountable for them,” he explained.
Sullivan also emphasized that CISOs should “pay attention to any statements their company issues around security and privacy, and challenge it if you are not aligned with it.”
Get Board-Level Independent Legal Representation
Blauner argued that, with US regulators charging CISOs’ individual responsibility, it is time for CISOs to get individual legal representation and board-level individual insurance.
“This is standard practice for other executive roles and should also be true for CISOs. They should preferably do that before an incident happens,” he said.
He pointed to Team8’s CISO's Guide to Legal Risks and Liabilities and the Security Innovation Network’s (SINET) content as valuable resources to get started.
Don’t Make it An Obsession
Throughout the session, Sullivan insisted that, although CISOs should be prepared to be probed, protecting themselves should not be their obsession.
“There have only been a few indictments against CISOs so far, and none of them went to jail. These risks should not be top of mind,” he said.