The Action That Shook An Industry

Last week, after three long years, the Securities & Exchange Commission (SEC) decided to issue a Wells Notice to SolarWinds, informing them of their intent to initiate enforcement proceedings for the 2020 breach that impacted thousands of customers. In their 8-K filing, the company stated that the CFO, CISO, and several other current and former company executives were issued notices. While, over the past several years, it is not uncommon for the SEC to initiate enforcement actions on companies for cybersecurity breaches, this is the first time that the CISO has been named as part of the action.

That fact has caused seismic tremors throughout the security industry and the CISO collective as a whole. 

While some in the industry have compared this to the case surrounding former Uber CSO Joe Sullivan and his being found guilty of obstruction of justice and misprision, I feel the SEC’s most recent actions have a far more profound effect on the industry. Whereas Mr. Sullivan was found guilty of said crimes, there is no evidence that the SolarWinds CISO has done anything fundamentally wrong. 

This brings us to the question, does the SEC feel that the breach of a company is the direct result of criminal negligence on the part of the CISO? 

Many of you can understand the profound absurdity of my asking that question.

When a CISO is not a Chief

If we look at most corporations, the ‘Chief’ title typically reports to the CEO and equates to absolute authority over the decision-making of that business function. The Chief Financial Officer has the ultimate decision-making power over anything financial. The Chief (Legal) Counsel has the final say over any legal issue. The Chief People Officer/Chief Human Resources Officer has the end-all say in employee issues, hiring practices, and salary structures.

Here’s the striking thing, in looking at how the SEC is approaching security, from both enforcement actions and the new pending regulatory changes, it is obvious that they are taking the position that the CISO is the organizational equivalent of all of the other C-suite executives.

However, with few high-profile exceptions, the Chief Information Security Officer is typically several levels down the org chart from the CEO and has no such absolute power. In fact, according to a recent study, only 9% of CISOs report to the CEO, and over 65% are buried within the IT department. So, while it may be hard to accept, the ‘C’ in the title is nothing more than a self-appointed moniker for most, and apparently, it’s becoming quite the target for the SEC.

If we look at a ‘day in the life’ of a CISO, much of it is spent trying to convince others to do work directly related to how the CISO’s performance is reviewed. For example, most security programs ‘own’ vulnerability management, however, vulnerability mitigation (patching, configuration management, etc) is almost always an IT function. How does that CISO explain to the board (or auditors) that their peers are failing at performing basic risk mitigation practices without making their collective leader, the CIO, look incompetent? The problem is, most can’t.

If, again, we’re taking a hard look at the cross-section of CISOs, the other issue is, to be frank, many shouldn’t report to the CEO. Understanding the difference between being a CEO direct report and being one level down is something most people do not quite comprehend. Becoming a formal director of a company has many implications, and when evaluating the experience and business acumen of many CISOs, they rightfully shouldn’t be at that level yet.

For far too long, businesses have tried to save a headcount by appointing network or security managers to the CISO role because of their necessity to ‘check the box’ on compliance requirements. Now, the SEC is holding those CISOs accountable the same way they hold other corporate executives accountable – with no forewarning or explanation. CISOs should not be making firewall changes, adding users to AD, or configuring servers; just as a CFO doesn’t process invoices or cut checks. If you are one of these ‘hands-on’ CISOs, it’s time for a serious discussion with your direct-line leader and HR around the potential liability you have unknowingly taken on.

Now, this is in no way a criticism of those who have been tasked with ‘owning’ security, but it is absolutely a critique of the companies that just bestow it on individuals who are not properly supported in their role with staff, budget, and training. Whether it’s CISO, Director, or Manager; the title is fairly irrelevant – if you are at the top of the security food chain, you better understand the responsibility and liability you are now carrying.

As someone whose entire career has been anchored in building security programs with the CISO title, I have the utmost compassion for others in the role. However, we have hit a tipping point that requires companies to elevate the CISO role to that of a corporate director (along with the benefits that encompasses, such as D&O insurance) and give them the authority they need to be successful in their role. 

Positioning for the Future

There is no doubt that the recent SEC actions will continue, and with the pending cybersecurity rule changes, become even more prescriptive in the coming years. Corporations must begin to accept that the security and soundness of their technology infrastructure must be adequately protected by an executive of the company, not relegated several levels down.

Ultimately, there are two things that every security executive should consider:

• Investing in a mentor. There are a number of long-time security executives who have spent years talking to boards about cyber risk. If this is your first time in the CISO role, or even if it’s not, but it will be your first time with frequent board interaction, a mentor may be the best resource to get your message to the appropriate level quickly. A mentor can be a great resource for many other topics as well, such as incident response, program design, and team management advice. 
• Security executives should seriously consider requiring Directors’ & Officers’ (D&O) insurance and indemnification coverage as part of their employment. Harvard Law School provides a great list of essential requirements you should ask for as part of your compensation package.

If the SEC continues down this path, and there is no reason to think it won’t, we are going to see substantial changes in the way security executives are viewed over the next 18-36 months. It is absolutely critical for CISOs to begin thinking and planning out the next phase of their career as being an equal partner to the CFO and CIO rather than a subordinate to them – and that’s a change that going to take a lot of adjustment from both sides.

As for the SolarWinds CISO, we are all waiting to see where this ends up. I firmly believe that it is simply not plausible to blame a CISO for a breach when so much is out of their hands, but I also understand that we accept certain accountability and responsibility when we take on the role. Hopefully, as this evolves and we have clarity as to what the SEC has planned, we’ll be able to adjust accordingly to ensure future CISOs are better prepared.