From Corporate Guardian to Fall Guy: The Changing Landscape of the CISO Role
Jessica N.
vCISO | Chief Security Officer | Board Member | Speaker | Published Author | Risk Management Strategist | Championing Diversity in Technology
The role of the CISO has been on my mind lately, especially after changing roles
When Michael (Scott) Schindler?and I were collaborating on a topic for my keynote a few years ago, we joked that we should name the presentation “How to be the GOAT (Greatest of all Time) and not the ScapeGOAT.” I have always understood my role as the Corporate CISO/CSO. I was responsible for managing cyber-related risk
Sounds easy, right? Often the CISO proposes controls or technology necessary to strengthen the company’s security posture
Honestly, I knew my job as the CISO/CSO could ultimately function as the “fall guy” if we were hit by a cyberattack or data breach. I existed to take the blame for lack of protection, which would protect the C-suite and the Board from culpability. I could accept this fact in the past. Now here we are in 2023, and after the Uber breach trial, where the CISO has been found guilty and sentenced to serve a three-year term probation and ordered to pay $50,000.* In other recent news, the CISO of SolarWinds was individually named in a class action lawsuit. As I recently shared some data on the mental health challenges we face as CISOs, I wonder if we are really willing to face jail time or heavy fines for our jobs? Will CISOs be faced with the decision to stand up for what is right and lose their job, or support their company and follow instructions from those higher up in the organization, risking liability for the company?
*Important note, I am not offering any opinion or judgement of Joseph Sullivan as I was not on the jury, nor do I have all details of the case. I am using this case as an example of how the CISO’s role has changed.?
Brian Levine at SC Media has made some valuable points in this article. Corporate officers and directors have historically been protected by certain protections including Right of Defense, Indemnification, and D&O insurance policies. For many CISO/CSOs, the “Chief” in our title has held as much liability as the corporate officers and the board members, but not the protection that comes with their positions.
领英推荐
As Levine also points out, “Even the best CISO cannot prevent every breach.” He is right. We can’t control human error, missing controls, lack of support for the cyber program, zero-day attacks, supply chain attacks, nation state attacks, and other potential threats.
CISOs serve a critical role in any organization. Any cyberattack or data breach quickly becomes a company’s problem, not the CISOs. With the lack of talent and the burnout rate with CISOs, it is time we apply the same protections as the other “Chiefs” in the company.
?
U.S. Department of Homeland Security: Science and Technology Directorate
1 年Jessica N. Thank you for sharing is very interesting artical. It is a real "eye opener" regarding the role of CISO. I have had the opportunity to work with some of the best, however, they do seem to move on\out more quickly than other roles. The support, seen from my advantage point, often comes down to funding (or lack there of) and the upper leadership's unwillingness to understand what CYBERSECURITY actally means and what it takes to make a system compliant with the mandates placed on the security team. That is until a breach occurs. Then all bets are off, CYA is in effect! However, I do believe as the current changes effecting Cybersecurity (Ececutive Orders, like 14028 to implement Zero Trust Architecture) is put in place, there will be no choice but to support the CISO's request to implement those requirements or face an inquiry as to why this support was not provided. As a CISO, document the interactions and requests made for Cybersecurity enhancements and the resulting efforts afforded to those projects.
#digitalAF Accelerator | DAF LLM Evangelist | Data Analytics Ninja | Accelerating Change!
1 年CISO - The person you fire when you fail to listen to anything they say.
8x GLOBAL CISO CSO CTO CIO / Board Member / Transformation / F500 Industry Leader / Visionary / Bestselling Author / Keynote Speaker / Mentor / Exploring op/ MS CGEIT CISSP CISM CISA CRISC GSNA ACSE TOGAF CNSS CDPP CDPSE
1 年Thanks for your perspective, Jessica N. I had commented (see under my featured section) on the SEC Wells letter to the CISO of Solarwinds before and I think (based on what I've read about it - although I must admit I don't have all the details) they're shooting for the wrong target, there are others to go for, first and foremost. If this nonsense continues, in the end most of the qualified CISOs will stop working in that capacity making the risk situation even worse for companies ruled by the SEC. This can't be in the interest of shareholders and stakeholders...
At the Corner of Cyber Risk and Business Success.
1 年Jessica N. There was a time when no one would hire the company CISO that was on duty during a breach. That was followed by a period where CISOs with real world incident and breach experience was the most desired experience to hire for. Ultimately fiduciary leadership (Board, C-Suite or Risk Committee) owns the consequences of all cyber risk decisions (including those cyber risk decisions NOT made). If only there was a way to establish a cyber risk registry that could capture all cyber risk findings, record risk decisions (Accept/Remediate/Transfer) and build a defense against future negligence claims. For consideration: Maxxsure #cyberriskmanagement powered by #cyberriskquantification
Helping companies be more resilient in a digital world!
1 年This is great, thanks for sharing!