Being a Chief Information Security Officer, CISO, or in that role has never been more challenging or essential than it is today. We, CISOs, face an immense amount of pressure from many angles. From the constant barrage of cyber threats and attacks, regulatory constraints including new SEC Cybersecurity Disclosure Rules, and the general demands of such an important mission – protecting a company’s critical assets and preserving shareholder value. Balancing technical and business acumen with ethical thoughtfulness, your Thin Red Line, in the context of today’s climate requires a multidimensional awareness approach. By embracing transparency, ethical decision-making, purposeful networking, and keenly observing recent security executive experiences, CISOs will not only protect their organizations but also safeguard their personal liability and professional integrity.
While the SEC Cybersecurity Disclosure Rules govern public companies, make no mistake that they offer food for thought for all CISOs and Executives including the Board regardless of whether the company is public or not. In short, the Rules mandate that publicly traded companies disclose information about cybersecurity risks and material incidents in a timely and accurate manner – the Board and other Executives should play a role in this.
For CISOs, these rules underscore the need for a proactive stance in identifying, assessing, and disclosing cybersecurity risks. The responsibility extends to ensuring that disclosures are not just compliant with regulations, but also truthful and complete. This means CISOs must balance between technical details and the broader impact of cybersecurity issues on the organization’s value and operations. The hidden implication in these rules is the ethics required when completing the required disclosures. The ethical responsibilities and personal due diligence extend beyond regulatory mandates; it is of the utmost importance of being a CISO today.
CISOs Have Ethical Responsibilities in Cybersecurity Management
Effective communication with stakeholders, including the board of directors, executives, and shareholders, is key. CISOs must present cybersecurity issues in a context that is understandable and relevant to each stakeholder group. You cannot be the CISO that presents every discovered risks as a material issue but you also, as we have seen recently, cannot minimize or withhold important information that should be used in assessing the situation and deciding on courses of action. Presenting risks in an Enterprise Risk department framework with the assistance of Legal Counsel is a recommended approach.
Incident Management and Response for CISOs can be the make or break point in the role. The first course of action would be developing or ensuring the program includes a robust Incident Response Plan that has been vetted by many knowledgeable people in the practice of Incident Management and that you have evangelized it throughout your organization. CISOs must lead with integrity, ensuring prompt action, clear communication, and a focus on minimizing harm to all stakeholders. That starts well before an incident.
Continuously Assessing Risks is an ethical responsibility required of a CISO and the security team. It is crucial for CISOs to be proactive in staying abreast of emerging threats and to ensure that risk assessments are current and reflective of the evolving cybersecurity landscape. There are a number of departments within an organization, Legal, Audit, Enterprise Risk, and others, that can assist or at a minimum be a sounding board.
Transparency and Accuracy are paramount to what a CISO does on a daily basis. Whether it is disclosing breach information or cyber-risks to regulatory bodies, reporting information to the Board and other executives, or speaking candidly to one’s team, CISOs must ensure clarity, factual information, and full transparency. This includes providing a clear picture of the situation, the steps taken to mitigate risks or implement your strategy, and potential impacts.
A Personal Crisis Management Plan is Needed by CISOs
Given the nature of cyber breaches, CISOs must also take steps to protect themselves personally. CISOs, make no mistake, have faced pressure for some time, but now that pressure can lead to disastrous personal and ethical consequences. A Personal Crisis Management Plan should consider professional, legal, and financial strategies.
Documenting and Record-Keeping of all cybersecurity measures, risk assessments, and decisions should be done in great detail including communication with other executives whether they buy in to security plans or not, another wards the no’s are just as important as the yes’s. This documentation can be crucial in demonstrating due diligence and compliance with regulations; it is also can be important if legal matters arise.
Legal and Compliance developments in cybersecurity is a responsibilities that CISOs should take very seriously as part of their role. CISOs need to stay informed about the latest legal developments in cybersecurity, regularly seek out ways to be trained and/or consultations with legal experts will help CISOs navigate the complex regulatory environment and determine of ‘best of’ strategies.
Professional Liability Insurance is a must have for CISOs today. Be sure to consult with an expert in obtaining this type of insurance. Some popular insurance types won’t provide coverage if, for instance, you are not considered an officer or director of the company. Insurance will help protect against personal financial risks associated with legal actions stemming from cybersecurity incidents.
Ethical Decision-Making Frameworks are important to create. This is your Thin Red Line. Document it! Memorize it! Post it in your office/home office! Evangelize it to others. This is your moral compass, your ethics strategy when hard decisions need to be made. This framework should help guide actions and decisions, especially in complex situations where legal and ethical lines may blur, or in situations where you are being coerced to do or not do something – disclose risks.
Collaboration with Legal, Finance and PR Teams should be one of the first relationships CISOs foster upon starting at a company. Even better if you can interview with the General Counsel to get an idea of their thought process on cybersecurity. Working with these teams, and others, closely will help ensure that all disclosures and public communications are legally compliant and ethically sound.
A Word on Best Practices in Ethical Cybersecurity Management
CISOs should develop a robust Cybersecurity Policy that is comprehensive, addresses risk management, incident response, and disclosure protocols. It should be signed off on by your legal team and promoted from the top. Fostering an organizational cybersecurity awareness culture where cybersecurity is a shared responsibility, the program is rewarded, and training is embraced can help build this culture. CISOs also need to collaborate with Enterprise Risk and Audit to implement strong governance structures for cybersecurity that define roles and responsibilities throughout the organization and maintains accountability at all levels.
One of the most important roles of a CISO is to build strong relationships with stakeholders, including the board – especially the board, executives, legal, and risk management teams among other. These relationships are vital in ethical decisions.
With elevated cyber threats, data breaches becoming more common and having more impact, along with the increase in regulatory scrutiny, the CISO’s role as an ethical guardian and strategic leader is crucial in steering organizations through our global digital landscape. Utilizing an ethically grounded approach that harmonizes the well-being of CISOs with the broader objectives of organizations, we can uphold the integrity and sustainability of this crucial role. The ethical stewardship of cybersecurity is imperative for fortifying our digital defenses. Now is the time to embrace these ethical challenges, as the future resilience of our cybersecurity landscape hinges on our commitment to ethical decision-making and action.
