Cybersecurity leaders are well aware that the industry is constantly evolving. From the kinds of threats organizations face, to the security tools best fit to mitigate them, today’s leaders understand that they have to stay on their toes. But in just the past few years, there has been considerable change in one role specifically: The Chief Information Security Officer (CISO).
The way in which a typical CISO functions today is quite different from how a CISO would have conducted business in 2020. This is because the cybersecurity industry was forever changed by SunBurst, the software supply chain attack on SolarWinds’ Orion software in late 2020. Not only did this incident put software supply chain security and third-party risk management (TPRM) on the map, it also served as a paradigm shift for CISOs.
As those of us who have served as CISOs know, there is a constant tension between security, controls and the business’s objectives, in that CISOs are expected to not be a part of an “organization of no.” Prior to SunBurst, it was considered common practice for CISOs to have their security reports “prettied up” by marketing and PR teams for public presentation. More often than not, that resulted in their statements to be watered-down or lose their meaning. Even worse: Cleaned up language might fail to capture the true state of security at their organizations. Doing this kind of whitewashing only a few years ago was the norm for publicly traded firms, who faced few if any consequences — legal or otherwise — for such activity.
These expectations for the CISO took a dramatic step forward in October 2023, when the U.S. Securities and Exchange Commission (SEC) charged SolarWinds and its CISO, Timothy G. Brown, for fraud and internal control failures, alleging that the company “misled investors about its cybersecurity practices and known risks” in relation to the 2020 SunBurst incident. From the outside looking in, it seems as though Brown is being held personally liable for what had been considered common practice by many CISOs and their organizations.
Historically, the controls available to CISOs to ensure that commercial off the shelf (COTS) and other third-party components didn’t bring unacceptable risks into their corporate environments were generally limited to questionnaire-based surveys, rudimentary contract language, and technical security reviews (e.g. manual penetration tests). But today, these controls are highly ineffective and unscalable in finding the types of risks we’ve seen in significant breaches in addition to SunBurst, such as 3CX, Kaseya, CircleCI, MOVEit, etc.
This new precedent brought forth by the SEC is now the defining event between two time periods (like B.C.E. and A.D.). In this new era, which consists of concern for software supply chain security and newfound accountability, CISOs are now personally and financially responsible for the security outcomes of their enterprises’ security programs. Therefore, misrepresentation about the state of security at an organization is no longer acceptable.
Here's what CISOs need to know in this new era — and how they can leverage their new responsibility to prioritize security within their organization.
[ Webinar: Saša Zdjelar and Daniel Miessler discuss CISO accountability in the new era | Get Gartner Report: Mitigate Enterprise Software Supply Chain Security Risks ]
The new CISO: a Cyber CFO?
To better understand this new level of scrutiny in the cybersecurity industry, it’s best to compare the newfound personal liability of a CISO to what is expected of a modern-day Chief Financial Officer (CFO). Back in the early 2000s, the finance industry had its own paradigm shift, when the late energy company ENRON collapsed, revealing a wide range of financial improprieties. Eventually, the company’s former CFO, Andy Fastow, was convicted by the SEC in October 2002 for several serious charges, including “inflating the value of Enron’s investments.”
The SEC’s case against Brown and SolarWinds will “be like our (cybersecurity’s) ENRON moment,” my friend Daniel Miessler shared in his writing about the SEC’s case against Tim Brown. That’s not in the sense of the alleged offense committed, but the reaction it spawns in regulators, he wrote.
Miessler and I agree that in this new era of scrutiny, CISOs will now have to carry themselves in a similar manner to a chief financial officer (CFO) in the post-ENRON world, making the modern cybersecurity leader more akin to a “Cyber-CFO.” Rather than just being concerned about the enterprise’s security, cyber leaders will likely be held personally liable for security assertions, external reporting, and will be subject to regulatory standards, etc. – just like a CFO is today as a result of ENRON and the subsequent Sarbanes-Oxley Act of 2002.
This is why I believe the following four changes will come (or have already came) for today’s CISOs:
1. Careful drafting training for all execs
There will be careful drafting training for senior executives, inclusive of CISOs and possibly the whole company. There will be a newfound priority among the C-suite to be extra careful regarding what they say and how it is said, both verbally and in writing, internally and externally.
2. Well-rounded CISO candidates will rise up
CISO candidates with multidisciplinary and well-rounded backgrounds are more likely to be considered for these positions. Enterprises want CISO roles filled by seasoned security leaders that are also business savvy. This is because security leaders with this kind of diverse background will have a better understanding of personal liability in the areas of financial and fiduciary responsibility.
3. Seniority will come with the new responsibility
The CISO will be a more senior executive than previously thought, and will be expected to have a broad consideration for risk. The work of a CISO and its responsibilities will be taken just as seriously as the CFO’s, and they may even become a Section 16 Officer of the company. If the current CISO isn’t willing to do it, they’ll gladly find someone else for the position who will.
4. CISOs will have the final word
CISOs will have the final word for their internal and external communications regarding the company’s security practices. Enterprises do not want to be held legally accountable for ‘watering-down’ the CISO’s factual messages about the company’s state of security.
CISOs can use this new responsibility to prioritize security
All of the above changes are why a CISO now needs to start acting like a CFO on their very first day in the role. CISOs no longer have the freedom to prioritize business interests and subordinate cybersecurity, because they will be found liable for misrepresenting security practices in the event of a cyber incident. A CFO doesn’t "let SOME fraud, financial crime, absence of key stated controls and insider dealing go” while they ease into the role, and the CISO will need to start acting the same way regarding their company’s security program.
While some may find this new era of CISO accountability a threat, they need to look at the massive opportunity as well — and the opportunity is quite big! Yes, CISOs will have more work to do from now on with this newfound level of scrutiny and accountability. However, this new era will allow them to take a more senior and influential role in the organization, receive greater allocations of resources to maintain an appropriate level of perceived risk, prioritize critical enterprise security needs, and be fully transparent on what security issues their company is dealing with.
And because CISOs and their respective companies will be more transparent and accountable, this should lead to greater trust in them from customers, board members, investors, employees, regulators, and the communities in which they operate.
To all of the CISOs out there, this is your moment to seize the day!
Article Link: CISO accountability in the era of software supply chain security