Businesses must address the misalignments that expose CISOs to excessive liability and elevate the role of CISO to ensure effective long-term success.
Executive Insights:
- The SolarWinds breach and subsequent CISO prosecutions highlight concerns regarding the treatment and limitations imposed upon security leaders within organizations.
- CISOs often lack decision-making power and autonomy compared to other executives, which can undermine their ability to effectively lead and protect organizations.
- Holding CISOs personally accountable for security breaches without giving them full authority and resources to implement effective security measures can drive competent professionals away from the role.
- Organizations often perceive security as a cost rather than an investment, leading to a disconnect between security efforts and overall organizational goals.
- The misalignment between trust and value objectives marginalizes the CISO's role as an insular technical pursuit, preventing them from participating in strategic decision-making alongside other executives.
- To address these challenges, businesses need to transform structurally by elevating the role of the CISO to equal footing with other executives and empowering them with decision-making authority to integrate trust into the broader organizational strategy.
Security leaders are undoubtedly familiar with the SolarWinds breach, its blow to critical data supply chains, and the legal implications for the company's CFO and CISO. The issuance of a Wells Notice to a CISO, unusual in cybersecurity incidents, may hint that the SEC is exploring new potential liabilities. Notably, the CISO role often lacks the same decision-making power and autonomy as other executive positions, evident in their dependence on other departments, such as IT, to enact security measures.
This dependence creates friction that can undermine their ability to lead. Further, it's worrisome to see CISOs being held personally accountable for security breaches despite often not holding full authority over their practice's implementation, inadequate authority to invest in safety measures, and less protective legal liability coverage compared to other corporate officers. The result is a heightened degree of liability imposed on those entrusted with leading organizations' security - the CISOs.
Concerns About the Treatment of CISOs
This situation raises concerns about the treatment of CISOs by, and within, organizations. Recent cases of CISO prosecutions indicate that CISOs are being held liable at levels far above their actual power to protect against such liability, potentially driving competent professionals away from this crucial role. By designating the CISO as the primary target for blame when a security event arises, organizations may evade their responsibility to build and run trustworthy companies at the expense of their security leaders.
One pressing question emerges from these circumstances: why do organizations have security programs at all? The likely honest answer is “because someone/something requires us to” which frames trustworthiness as a cost rather than an investment, with subsequent fallout as predictable as it is regrettable.
While CFOs focus on delivering value to the business, discussions around security predominantly revolve around operational matters such as risk management and access control. The lack of a tangible business impact associated with security often relegates the CISO to a level beneath other executives.
As a result, they do not commonly participate in high-level decision-making or possess control over their own domain. Approaching security with a technical rather than a business conversation leads to a disconnection between trust efforts and overall organizational goals. Security becomes an end in itself rather than a business practice delivering value outcomes. Without a clear connection to the business, the true purpose behind security initiatives remains elusive.
This unfortunate misalignment between trust and value objectives marginalizes the CISO's practice as an insular technical pursuit rather than a means to drive business success. Consequently, they are excluded from strategic decision-making and denied a seat at the table alongside other executives. The presence of unbalanced incentives further aggravates the problem.
Prosecutions targeting vulnerable CISOs create a climate of fear and uncertainty within the industry. The underlying message is that any CISO might be next in line for blame when a security breach occurs. This reality holds true for all CISOs, regardless of their position or industry. Public company CISOs without D&O insurance are particularly vulnerable, and it is crucial for them to address this liability through their HR departments. Without adequate protection and accountability commensurate with that of CFOs and lawyers, CISOs will continue to face potential legal consequences disproportionate to their authority.
While it may be justifiable for the CISO to face similar levels of accountability as a CFO in the event of breaches, the lack of political and institutional power bestowed upon the former makes this situation unjust. The structural deficiency lies in how organizations perceive risk management, trust, security, safety, and compliance as mere operational functions rather than integral components of the business.
The SEC's treatment of the CISO as an accountable leader stands in contrast to their marginalized position within organizations. To address these challenges, businesses need to transform structurally in how they perceive and prioritize security. Elevating the role of the CISO to equal footing with other executives and empowering them with decision-making authority can ensure an effective integration of security into the broader organizational strategy. Only then can security truly contribute to business growth and success rather than being seen as a separate, technical endeavor.
The SolarWinds disclosure and subsequent CISO prosecution highlight the concerning treatment and limitations imposed upon security leaders within organizations. By addressing the structural deficiencies that hinder the empowerment and integration of CISOs, businesses can establish a stronger security posture, enhance accountability, and ultimately safeguard their long-term success.
