SEC allegations against a cybersecurity executive over a 2020 cyber incident have sent ripples through the industry. Paul Caron of cybersecurity consultancy S-RM digs into the case and explains why it could have a chilling effect on CISO employment.
In October, the SEC made an unprecedented move, suing the victim of a cyber attack rather than using its traditional enforcement move of charging and simultaneously settling with companies that run afoul of regulatory obligations. When the SEC filed charges against SolarWinds, a software company that fell victim to a massive cyber attack in 2020, it also charged the company’s chief information security officer, Timothy Brown, alleging that the CISO defrauded investors by hiding cybersecurity weaknesses.
While the case is in dispute (SolarWinds has filed a motion to dismiss the charges), there is no question that the SEC’s actions have created widespread concern among CISOs. Before the agency’s charges, CISO was a notoriously difficult position to fill, and many companies now worry they will have more trouble finding the right person — or have to pay a lot more money to convince them to accept the potential risk of personal legal consequences.
Could a new era of personal liability be dawning for cyber risk? What does this do to the makeup of the traditional C-suite? And are today’s CISOs under such pressure to maintain a competitive edge that making false or inflated claims is more commonplace than it might have been a few years ago?
Poor enterprise cybersecurity leads to a false sense of maturity and posture
At the heart of the claim against Brown are internally misleading statements and claims on the overall status and state of the internal controls landscape at SolarWinds. These may seem like the actions of a rogue actor on the surface, but they portend a much larger and concerning trend in enterprise cybersecurity. For large companies, cybersecurity maturity and posture are often assessed and tracked in complex ways. One common method is to score control domains on a simple scale (think 1-5 with 1 being immature and 5 being unattainable perfection) that can be repeated year over year to demonstrate maturity score changes and areas of shifting focus. Unfortunately, this type of scoring can often lead to obfuscation of larger risks.
CISO performance will often be judged by these scores, incentivizing higher scores, which can and will lead to larger issues. For example, a CISO of a cash-strapped organization may elect to commit their team’s time and energy to resolution of lower-impact risks that are cheaper to address. This is sometimes referred to as “chasing decimal points.” In this example, the overall maturity score would go up incrementally, but the organization would not have directly addressed the biggest risks. Alternatively, a CISO or their team may inadvertently inflate scores year over year, as they believe performance has improved, despite no material changes being made to the security posture. Each of these instances could represent fraudulent representations of the organization’s overall security posture and put the offending CISO in regulatory trouble.
CISOs Can Use New SEC Cyber Rules to Their Advantage
Translate cyber risk to plain business speak
Read moreDetailsCould the SEC ruling become the catalyst for CISOs leaving organizations?
The role of a CISO is already a very tumultuous position to sustain and fill, the current employment market making it difficult to find the right talent for these critical hires.
The SEC’s move will put a bigger divide between the CISO and the traditional C-suite in the future. There is already an unforeseen bifurcation between accountability for what the CISO is responsible for and actually getting that across the line. So, unfortunately, while a CISO’s regular remit is to bring risks upstream to the CFO and CEO, they’re ultimately not the ones who have a true mandate or authority to put it into action. By suing an individual CISO, the SEC is adding further complication — more stick, less carrot — to the talent acquisition and retention landscape.
And since the SEC appears to be shifting security liability to CISOs, organizations must prove they are willing to support and protect their CISO by providing them the resources (read: budget and headcount) they need to maintain a property cybersecurity program. Otherwise, good talent will simply not be willing to accept the risk.
Protecting CISOs & organizations often means scrutinizing vendors
The additional scrutiny placed on CISOs stems in part from the evolving role of software. A decade ago, most organizations maintained and managed their own IT stack, they owned their own servers, and they ran their own data centers. Now software is a service. This means organizations are placing much more trust in third-party vendors. Because third parties sometimes outsource client data to fourth or fifth parties, even if a third party is vetted, the threat of a data breach still lingers. The interwoven nature of modern software underscores the need for visibility all the way through the suppliers of our suppliers. By gaining transparency into every step of the data lifecycle, organizations can minimize risk, ease compliance and alleviate some of the burden placed on the CISO.
However, implementing visibility tools takes time and capital. Organizations shouldn’t wait for the latest transparency technology to secure their data — there are several low-cost, immediately impactful steps organizations can take to mitigate third-party risk.
- Gain an in-depth understanding of the vendor landscape. Large organizations with expense budgets are especially guilty of committing to partners before conducting a complete survey of the vendor landscape.
- Determine the functions of the business which absolutely require third-party vendors. This will allow organizations to see which processes already performed by third-party vendors are unnecessary or better performed in-house.
- Devise a plan for governance for the operationally critical third-party vendors. The IT and security teams, as well as the business owner, need to work in sync during this step to thoroughly perform due diligence. Organizations in less-regulated industries should take advantage of the clean slate they have when creating governance and tailor the plan to suit their organization’s unique needs.
- Draft contractual obligations. Often with cloud computing platforms, a CISO will hastily agree to a contract, without realizing that various security measures are not included in baseline packages.
- Develop an exit strategy. If during a future date, the organization deems a third-party vendor too risky, they’ll need to cleanly sever ties with the vendor, ensuring the vendor no longer has any of the organization or their client’s data. In the age of artificial intelligence, determining who has access to private data becomes even more important.
Ideally, these several steps should be part of a larger change in corporate culture, viewing the mitigation of third-party risk holistically, rather than the sole responsibility of the CISO. When it comes to vetting vendors and securing data, communication between the IT, security, and executive teams needs to be heightened, and responsibility equally distributed. Once the CISO isn’t viewed as a scapegoat, organizations can attract top talent and modernize their security practices.
Paul Caron is the Americas head of cybersecurity at S-RM, a global corporate intelligence and cyber security consultancy. He has more than 20 years’ experience spanning both the private and government sectors and across a variety of roles, including military intelligence and counter terrorism, and cybersecurity leadership and engagement delivery. Before joining S-RM, he was the managing director of incident response for a global consulting firm. In this role, he used his experience to help clients who were experiencing complex ransomware attacks. 
