Consider the following scenario: You are the CISO of a large, publicly traded company. Let’s say it’s a financial organization whose stock has hit a rough patch lately.
The company experiences a major cyber attack, and you discover that the threat actors have deployed ransomware across your network and have encrypted and exfiltrated considerable amounts of private financial client data.
What is your first move?
Do you go public with the news, and risk damaging the company’s reputation and tanking the share price? Do you alert the clients that their data has been stolen and offer information on what steps they can take to protect themselves from further damage? Or do you try to pay off the threat actors quietly, get the encryption key, and prevent them from leaking the data. Then, you can sweep the incident under the rug, keep your fingers crossed and hope no one in the press ever finds out about the breach. Which should you choose? (Be Honest!)
CISOs Under Scrutiny
The above scenario is not uncommon of course. Organizations of all sizes experience cyber attacks with increasing frequency. However, as a choice of what you should do as a CISO, it’s a trick question. Recent government agency policy changes, along with several noteworthy high-profile court decisions have made the choice for you. The reality for the modern CISO is this – be up front and truthful about cyber attacks at your company, or risk being held personally accountable, and possibly even face legal consequences.
The Security and Exchange Commission (SEC) adopted laws in July, 2023, that require publicly traded companies to disclose, “material cyber security incidents,” within four days. Any instinct to cover up incidents or put the company reputation first could put CISOs in personal legal danger.
This creates a challenge for the modern CISO, who must perform a balancing act, like that of a tightrope walker, skillfully maneuvering the delicate balance between loyalty to the company, the customers, and the public. When a cyber breach inevitably strikes, the CISO faces a daunting choice: if they go too far to try to protect the company’s image, ensure public safety, and appease anxious investors, they may be in violation of the law, and be held personally accountable.
CISO’s Legal Accountability
Here’s a real case to consider: In October 2022 Uber’s former CISO was convicted for his role in covering up a 2016 cyber security breach. Prosecutors in that case said former CISO Joe Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach.” Sullivan was held personally responsible and sentenced to three years’ probation, narrowly avoiding actual jail time.
Sullivan was convicted not because of the breach itself, but due to actions he took afterward to cover it up by lying to investigators. His conviction sent shockwaves through the cybersecurity community and marked a turning point in attitudes towards personal responsibility for cybersecurity breaches.
In another similar, recent development, SolarWinds’ CFO and CISO have received notices from the SEC in connection with the well-known 2020 Orion breach, indicating they are being considered for potential civil enforcement actions for alleged securities law violations.
These cases have sparked discussions about the role of CISOs, their responsibilities, and the evolving expectations placed upon them. CISOs face growing accountability and legal scrutiny in the aftermath of cybersecurity incidents, underscoring the need for heightened transparency and responsibility in their roles.
Regulatory Scrutiny and CISOs
With a closer look from regulatory bodies like the Security and Exchange Commission (SEC) and Department of Justice (DOJ), CISOs now find themselves in the spotlight. The call to “show receipts” becomes louder, and CISOs need to maintain solid proof of the reasoning for decisions made during a breach. Even when facing pressure from the company or reluctance to disclose, CISOs need to bear in mind that taking steps to cover up cyber attacks, or providing false information to investigators could land them in the hot seat.
CISO is a “C-Suite” level position in most organizations, carrying with it significant influence. But it’s not without its challenges. CISOs need to carefully balance their own long-term personal interests with what’s best for the company. CISOs may be reluctant to admit that a company and cyber program they oversee suffered a breach as it may reflect negatively on them personally and affect their future career prospects. However, the bottom line is CISOs have an obligation to the public and can’t put themselves in the firing line for trouble down the line.
Cordell Schachter, Chief Information Officer of the U.S. Department of Transportation was asked about this new era of CISO responsibility during a recent Tel Aviv Cyber Week Panel. He likened the CISO’s relationship with government agencies to a patient’s relationship with their doctor. You may be reluctant to tell a doctor of potentially harmful behaviors such as smoking or excessive drinking, but without that information, the doctor can’t do his job to protect you. Just as withholding medical info can ultimately harm the patients, concealing breaches can ultimately harm the company that experienced the breach.
Cybersecurity consultant Allan Alford also discussed the issue recently, on his podcast, “The Cyber Ranch.” He advises CISOS who are faced with a decision about how to proceed after a breach to,” do the right thing. Go with your gut. Period. End of discussion.” If you are being asked by higher management to do something that is possibly in violation of the law, he says its important to keep an evidentiary trail in writing. It will help solve problems down the road. “If you are doing something risky, get it in writing. Don’t let yourself get set up to be the scapegoat.”
Empowering CISOs
Navigating the complex terrain of cybersecurity, legal responsibilities, and company reputation requires a steady hand and expert guidance. , we understand the challenges that modern CISOs face – the delicate tightrope they walk and the weight of their decisions. We’re here to offer a helping hand, providing strategic insights, technical expertise, and a partner in your journey towards cybersecurity excellence, including through a MyCiso service. Our mission is to empower CISOs to confidently lead their organizations through the ever-evolving landscape of cyber threats through. Contact us to learn more.