Between the Firewall and the Boardroom: Expectations From CSOs Today
CSOs/CISOs must push for board-level cybersecurity representation and inculcate new skills to tackle contemporary threats.
- Chief information security officers/chief security officers have traditionally managed cybersecurity from a technical standpoint.
- However, cybercriminals have taken it up a notch in the previous few years, rendering organizational resilience in the face of consistent cyberattacks inefficient.
- Consequently, security leaders need to evolve in their roles to ensure cybersecurity and defense are core business functions aligned with business objectives.
Chief security officers (CISOs/CSOs) are in a pickle. Cybersecurity executives are facing judicial heat if two high-profile cases are any indication. The U.S. government’s legal proceedings against SolarWinds CISO Tim Brown and former Uber CSO Joe Sullivan, who was convicted, may have cybersecurity executives rethinking their responsibilities.
The role of the traditional CSO encompasses all things cybersecurity – the technical side. They are expected to uphold the patronage of an organization’s response during a cyber incident.
According to the Securities and Exchange Commission (SEC), this approach is precisely what needs to change when dealing with the contemporary threat actor. Case in point, the proceedings against Sullivan resulted in a conviction for concealing the 2016 Uber data breach and obstructing justice.
The SEC’s allegations of fraud against Brown, who has helmed SolarWinds’ cybersecurity efforts since July 2017, for misleading investors by “disclosing only generic and hypothetical risks” doesn’t sit well with Sullivan.
At the Black Hat Europe 2023, Sullivan said, “The government, the FTC in my case, felt that my company wasn’t sufficiently transparent, and they sought to hold me personally accountable for that, even though it wasn’t my job to be the communicator of our security posture or answer any of their questions. In fact, I hadn’t seen a lot of the documents. And so, their case was about me being held personally responsible for the company’s approach to communication. Tim Brown’s case is the exact same thing.”
Speaking with Spiceworks News & Insights, David Lindner, CISO at Contrast Security, explained how the cases against his peers have impacted the role. “The highly publicized legal actions against Mr. Sullivan and Mr. Brown have undeniably left a mark on the mindset of current and prospective CSOs/CISOs. This has led to an emphasis on personal accountability, increased caution in decision-making, and an increased focus on foundational aspects such as risk management, compliance, ethics, and transparent communication,” Lindner said.
“Furthermore, these legal actions are influencing the way recruitment and retention of security leadership talent are approached, prompting a closer scrutiny of organizations’ dedication to security and legal compliance before individuals take on such roles.”
Roger Grimes, data-driven defense evangelist at KnowBe4, recounted the developments in the cybersecurity industry to those in finance from over two decades ago. “Many years ago, Sarbanes-Oxley [Act] essentially did the same with financial reporting. It increased the personal responsibility of CFOs and CEOs with financial reporting,” Grimes said.
In 2024 and beyond, the role of security leadership should expand to include much more than that. The SEC’s July 2023 cybersecurity mandates are the driving force behind the evolution of the CSO role. Per the new rules, cybersecurity is no longer a technical problem and should align with other strategic business operations.
See More: U.S. National Cybersecurity Strategy and the Business Landscape
SEC’s New Cybersecurity Mandates
Rule #1: Security incident disclosure must be done within four business days of the breach. This is an important aspect of SEC’s new requirements because 42% of junior-level employees in cybersecurity teams have been told to keep a security breach confidential when it should have been reported, according to the Bitdefender 2023 Cybersecurity Assessment report.
The number of security employees asked to sweep breaches under the rug rises to 71% for those based in the U.S. The disclosure period can be extended to 30 days if the U.S. Attorney General assesses that disclosure would threaten national security or public safety.
Rule #2: Organizations are required to undertake cybersecurity risk management, strategy, and governance disclosures once a year. Under this, companies must describe the management’s efforts and the board’s oversight of proceedings against perceived cybersecurity threats.
Lindner said, “The emphasis lies in enabling investors to make informed decisions while also acknowledging the evolving nature of cyber threats” by clearly, comprehensively, and timely disclosing cybersecurity risks and incidents.
These federal legal liabilities came into effect on December 18, 2023.
“I find this directive to be a positive and necessary step. Requiring clearer, more detailed reporting of cybersecurity risks and incidents not only empowers investors to make well-informed decisions but also fosters a culture of accountability and diligence within corporate structures. By emphasizing the importance of timely and comprehensive disclosure, this move by the SEC encourages companies to proactively address cyber threats and reinforces the integration of cybersecurity considerations into overall risk management strategies, ultimately contributing to a more resilient and informed market landscape.” – David Lindner, CISO at Contrast Security
Grimes concurred, believing the new mandates to be “long overdue.”
“My only question is whether this new mandate will become a new checklist compliance requirement or turn into real security. It’s really easy for new cybersecurity mandates to become something that is simply checked off with the ‘right’ audit and language. Real cybersecurity takes a true understanding of the problem and real ownership to decrease cybersecurity risk,” Grimes opined.
“It is that fundamental misalignment of the major threat with the defenses that allows hackers and their malware to be as long-term successful as they are. Will the new SEC rules change that equation and require better risk assessment and alignment? We will see.”
See More: Winning the Cyber Game: Strategies for Enhanced Security
How Can a Traditional CSO Evolve?
Until now, the CSO was primarily a technical person responsible for liaising cybersecurity with those up the ladder, i.e., the C-suite executives, the board, and others. The role was formulated to provide a bottom-up perspective on what used to be considered a siloed undertaking.
Organizations are now expected to devise a top-down approach to cybersecurity, with the CSO emerging as the key facilitator throughout multiple organizational units, both horizontally (departments) and vertically (board of directors, senior and middle management, the average worker, etc). The CSO role thus needs to become as cross-functional as possible.
CSOs must push for board-level cybersecurity representation
However, Lindner pointed out his apprehension over the lack of an SEC-mandated cybersecurity professional on the board. “The SEC’s inaction to mandate cybersecurity expertise on corporate boards is a concerning omission that could impact the protection and legal vulnerability of CSOs/CISOs. This absence overlooks a crucial opportunity to bolster organizational security measures and potentially shield CSOs/CISOs from personal legal actions.”
The possibility of the CSO’s communication with the CEO or the board could be diluted when they face the company’s stakeholders. “By neglecting to require dedicated cybersecurity professionals on boards, the SEC fails to acknowledge a vital facet of modern business resilience. Integrating CSOs/CISOs or cybersecurity experts into board compositions could provide invaluable insights into emerging threats, empowering boards to make more informed decisions on risk management, compliance, and strategic planning.”
“The lack of this requirement may curtail in-depth discussions on cyber threats, hindering the prioritization of cybersecurity initiatives within corporate governance. While the SEC’s emphasis on disclosure is vital, the absence of specific directives for cybersecurity expertise at the board level creates a notable gap in addressing security challenges at a strategic governance level.”
The possibility of willful omission by those higher-ups could also engender non-existent implications for the CSO. Thus, the CSO “will most likely need to intensify efforts to advocate for their involvement at the board level, emphasizing the strategic value of security expertise in decision-making. This might entail refining reporting structures, enhancing collaboration with other executives, and continuously educating board members about evolving cyber threats specific to the business.”
As such, even if the government hasn’t instituted a board-level requirement for cybersecurity, organizations must take it upon themselves to cultivate a cybersecurity paradigm that starts at the top. As this strategy becomes commonplace, necessitated by the contemporary cyber threat environment, CSOs must consistently push to align security initiatives with business objectives even without explicit SEC directives.
CSOs need to become skillful at…
While cybersecurity experts become commonplace on organizations’ boards, CSOs must inculcate effective communication when collaborating with the board, CEO, and other C-suite leaders, especially while translating technical jargon into business terms.
“The ability to align security initiatives with broader business goals and demonstrate the value of security investments is crucial. There will continue to be more pressure on regulatory bodies, such as the SEC, for cybersecurity transparency and alignment all the way through the board and, in some cases, publicly. CSOs/CISOs have to adapt to this.”
Additionally, CSOs must focus on proactive risk management, Lindner continued. “CSOs/CISOs will be expected to move beyond reactive approaches to security and adopt proactive risk management strategies. This requires CSOs/CISOs to have a deep understanding of emerging threats, vulnerabilities, and potential impact on the organization.”
Closing Thoughts
When asked how long before organizations become fully cross-functional to adhere to the ever-changing cybersecurity requirements, Lindner said, “As I always say, security is a journey and not a destination. Organizations will never become fully cross-functional.”
Nevertheless, transparency requirements and the necessity of cybersecurity as a business function dictate the expanding scope of security leadership. The present-day CSO is thus responsible for security operations from the firewall to the boardroom.
The CSO is not just a person with the technical authority responsible for identifying and dealing with risks; he is also a competent businessman in charge of ensuring proactive operational resilience, or at least that’s what the expectations have become.
What do you expect from the contemporary CSO/CISO? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERSECURITY
