We are currently witnessing a significant transformation in the role of Chief Information Security Officer (CISO). In contrast to the previously well-defined responsibilities, the duties of a CISO now seem dynamic and ever-changing. Cybersecurity industry leaders must promptly clarify these responsibilities to avoid potential repercussions.
Traditionally, CISOs were tasked with implementing robust security, information security, and risk management frameworks within their organizations. However, recent events, such as the Securities and Exchange Commission (SEC) charges against the SolarWinds CISO, have introduced a new dimension to the role—potentially designating the CISO as the “fall guy” in the event of a cyber incident.
The SolarWinds case has established a precedent of personal legal responsibility, creating a deterrent for CISOs at public companies. This shift emphasizes the need to discuss what constitutes an effective CISO and the expanded dimensions of the role.
Addressing the implications of the SolarWinds case, the SEC’s charges represent a step toward increased accountability, acknowledging that fines alone are ineffective in maintaining cybersecurity standards. However, the current trajectory places a disproportionate burden on CISOs, who oversee these activities but may lack sufficient control to manage them effectively. The fear of legal consequences is palpable, as demonstrated by the departure of Clorox’s CISO following a major cyberattack.
To avoid the pitfalls seen in the SolarWinds case, it is crucial for CISOs to actively engage in cybersecurity operations, staying informed about the threat landscape and collaborating closely with security teams. A hands-on approach is necessary, leaving no stone unturned and ensuring no vulnerabilities are overlooked.
Working in a high-integrity organization is equally important. CISOs need a strong team and must maintain constant communication with legal, compliance, and business partners. Trust is paramount, and any indication of shadiness should prompt CISOs to reconsider their position. With concerns about accountability growing, the likelihood of whistleblowers exposing unsafe cybersecurity practices increases, making a high-integrity workplace essential for CISOs.
Anticipating changes in accountability rules is a key skill for CISOs. While current emphasis is on CISOs, upcoming initiatives, like the Cybersecurity and Infrastructure Security Agency’s Draft Secure Software Development Attestation Form, may broaden responsibility to CEOs and COOs. CISOs should stay forward-looking and adapt to industry shifts to safeguard against potential liabilities.
The role of a CISO demands continuous vigilance. Although they cannot predict every cyberattack, CISOs must proactively prepare for such events. Mere compliance is insufficient; CISOs should be deeply involved and proactive, understanding new risks and global conflicts that can impact organizational security. The CISO role is not a figurehead but a crucial decision-maker in all security matters, requiring alignment on cybersecurity across the entire C-suite. In a landscape increasingly focused on accountability, organizations must prioritize cybersecurity discussions to avoid individual liability for CISOs and other leaders.