Cybersecurity leaders are well aware that the industry is constantly evolving. Whether dealing with the kinds of threats organizations face or the security tools best fit to mitigate them, today’s leaders understand that they have to stay on their toes. But in just the past few years, there has been considerable change in one role specifically: the chief information security officer (CISO).
The way in which a typical CISO functions today is quite different from how a CISO would have conducted business in 2020. This is because the cybersecurity industry was forever changed by SunBurst, the software supply chain attack on SolarWinds’ Orion software in late 2020. That incident not only put software supply chain security and third-party risk management (TPRM) on the map, but also served as a paradigm shift for CISOs.
As those of us who have served as CISOs know, there is a constant tension between security, controls, and the business’s objectives; CISOs are expected to not head an “organization of no.” Prior to SunBurst, it was considered common practice for CISOs to have their security reports “prettied up” by marketing and PR teams for public presentation. More often than not, that resulted in their statements to be watered-down or lose their meaning. Even worse: Cleaned-up language might fail to capture the true state of security at their organizations. Doing this kind of whitewashing only a few years ago was the norm for publicly traded firms, which faced few if any consequences — legal or otherwise — for such activity.
These expectations for the CISO took a dramatic turn in October 2023, when the U.S. Securities and Exchange Commission (SEC) charged SolarWinds and its CISO, Timothy G. Brown, with fraud and internal control failures, alleging that the company “misled investors about its cybersecurity practices and known risks” in relation to the 2020 SunBurst incident. From the outside looking in, it seems as though Brown is being held personally liable for what had been considered common practice by many CISOs and their organizations.
Historically, the controls available to CISOs to ensure that commercial off-the-shelf (COTS) and other third-party components didn’t bring unacceptable risks into their corporate environments were generally limited to questionnaire-based surveys, rudimentary contract language, and technical security reviews (e.g., manual penetration tests). But today, these controls are seen as highly ineffective and unscalable in finding the types of risks we’ve seen in significant breaches in addition to SunBurst, such as 3CX, Kaseya, CircleCI, MOVEit, etc.
This new precedent brought forth by the SEC is now the defining event between two time periods. In this new era, which consists of concern for software supply chain security and newfound accountability, CISOs are now personally and financially responsible for the security outcomes of their enterprises’ security programs. Therefore, misrepresentation about the state of security at an organization is no longer acceptable.
Here’s what CISOs need to know in this new era — and how they can leverage their new responsibility to prioritize security within their organization.
[ Webinar: Saša Zdjelar and Daniel Miessler discuss CISO accountability in the new era | See related: HPE, Microsoft breach disclosures mark new era for CISOs ]
To better understand this new level of scrutiny in the cybersecurity industry, it’s best to compare the newfound personal liability of a CISO to what is expected of a modern-day chief financial officer (CFO). Back in the early 2000s, the finance industry had its own paradigm shift, when the now-defunct energy company Enron collapsed, revealing a wide range of financial improprieties. Eventually, the company’s former CFO, Andy Fastow, was convicted by the SEC, in October 2002, on several serious charges, including “inflating the value of Enron’s investments.”
The SEC’s case against Brown and SolarWinds will “be like our (cybersecurity’s) Enron moment,” my friend Daniel Miessler shared in his writing about the SEC’s case against Tim Brown. That’s not in the sense of the alleged offense committed, but the reaction it spawns in regulators, he wrote.
Miessler and I agree that in this new era of scrutiny, CISOs will have to carry themselves in a similar manner to a CFO in the post-Enron world, making the modern cybersecurity leader more akin to a “cyber-CFO.” Rather than just being concerned about the enterprise’s security, cyber-leaders will likely be held personally liable for security assertions and external reporting and will be subject to regulatory standards, etc. – just as a CFO is today as a result of Enron and the subsequent Sarbanes-Oxley Act of 2002.
This is why I believe the following four changes will come (or have already come) for today’s CISOs:
There will be careful drafting training for senior executives, inclusive of CISOs and possibly the whole company. There will be a newfound priority within the C-suite to be extra careful regarding what is said and how it is said, both verbally and in writing, internally and externally.
CISO candidates with multidisciplinary and well-rounded backgrounds are more likely to be considered for these positions. Enterprises want CISO roles filled by seasoned security leaders who are also business-savvy. This is because security leaders with this kind of diverse background will have a better understanding of personal liability in the areas of financial and fiduciary responsibility.
The CISO will be a more senior executive than previously thought and will be expected to have a broad consideration for risk. The work and responsibilities of a CISO will be taken just as seriously as those of the CFO, and CISOs may even become a Section 16 officer of the company. Any CISO who isn’t willing to do will find that others will gladly take their place.
CISOs will have the final word for their internal and external communications regarding the company’s security practices. Enterprises do not want to be held legally accountable for watering down the CISO’s factual messages about the company’s state of security.
All of the above changes are why a CISO now needs to start acting like a CFO on their very first day in the role. CISOs no longer have the freedom to prioritize business interests and subordinate cybersecurity, because they will be found liable for misrepresenting security practices in the event of a cyber-incident. CFOs can’t let some fraud, financial crime, absence of key stated controls, or insider dealing go while they ease into the role, and CISOs will need to start acting the same way regarding their company’s security program.
While some may find this new era of CISO accountability a threat, they need to look at the massive opportunity as well — and the opportunity is quite big! Yes, CISOs will have more work to do with this new level of scrutiny and accountability. However, this new era will allow them to take a more senior and influential role in the organization, receive greater allocations of resources to maintain an appropriate level of perceived risk, prioritize critical enterprise security needs, and be fully transparent on what security issues their company is dealing with.
And because CISOs and their respective companies will be more transparent and accountable, this should lead to greater trust in them from customers, board members, investors, employees, regulators, and the communities in which they operate.
To all of the CISOs out there, this is your moment to seize the day!
*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Saša Zdjelar. Read the original post at: https://www.reversinglabs.com/blog/ciso-accountability-in-the-era-of-software-supply-chain-security