Tips for CISOs to Protect Themselves 

SolarWinds, who was at the center of a December 2020 hack that affected multiple U.S. government agencies is reporting that its executives may soon face charges from the U.S. Securities and Exchange Commission (SEC) for its response to the incident.  

Reuters first reported that the SEC sent several current and former executives at SolarWinds Wells notices, which are letters that the commission sends to people facing enforcement action. The notices allege that the company violated federal securities law by not having internal cybersecurity controls in place to prevent the attack.  

The 2020 SolarWinds hack affected several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy, and more. The U.S. government has attributed the incident to the Russian Foreign Intelligence Service.  

The SolarWinds executives in the SEC’s crosshairs are reportedly the chief financial officer (CFO) and chief information security officer (CISO). Potential punishment could include civil penalties and barring the executives from serving as officers or directors of public companies.  

The SolarWinds executives are not the first c-suite executives targeted by the federal government in the past year. In May, a judge sentenced the former chief security officer (CSO) at Uber to three years’ probation for a 2016 incident in which the government accused the CSO of obstructing an active Federal Trade Commission (FTC) investigation into Uber’s security practices and concealing the cyberattack. The sentence was likely the first time a security executive faced criminal charges for mishandling a data breach.  

The Uber conviction sent a chilling message to the cybersecurity community. How culpable should executives, specifically security executives be when it comes to company incident response?  

When it comes specifically to security executives, often they are beholden to higher executives such as a chief executive or a board of directors. This means they can be overruled, especially in critical moments of a response. Additionally, could the threat of punitive damages in the case of mishandling incident response dissuade professionals from taking CISO roles? This would be incredibly detrimental to a profession that is already lacking qualified people to fill high profile roles.  

A survey by Proofpoint found that 60% of CISOs in the U.S. had experienced burnout in the past 12 months. 62% say they are concerned about their own personal liability.  

CISOs are facing an overwhelming number of responsibilities including navigating increasing regulatory hurdles and scrutiny. Add the potential of punitive damages or even jail time to this list and what does that mean for the future of the role and the potential that qualified individuals will want to take CISO roles, especially in high profile or publicly traded companies?   

Late last year, a former Twitter security executive blew the whistle on what allegedly were less than ideal cybersecurity practices by the social media company, which has recently been rebranded to X. The allegations included a lack of adequate network logging and that Twitter had misrepresented the stability of its data centers and recovery plans to the SEC. 

Often security issues at companies go beyond its security executives. Security executives can’t necessarily force other executives or boards of directors to care about cybersecurity. They can do their best, but at the end of the day, it is usually others outside of security executives who have control of the purse strings.  

The above cases highlight the need for transparency. In the past, high profile security incidents were less common. Today, they splash the headlines. A recent example is the way vulnerabilities in MOVEit’s file transfer software impacted private and public sector organizations, including potentially revealing the personal information of nearly every citizen of Louisiana 

Trying to cover up an incident has always been reckless, but today its criminal. It is important for security executives to be transparent throughout an incident. Information sharing has become easier. The Cybersecurity and Infrastructure Security Agency (CISA) has done a good job of trying to create resources for organizations to share information during an incident or potential incident.  

Of course, the threat of punitive action does not want to make anyone be transparent. It seems rather counterproductive. However, if you are open about what occurred and how you are trying to fix it, people and regulatory bodies will likely be more forgiving than they might be if they find out afterwards there were efforts at concealment.  

During an incident, make sure you are documenting the steps you are taking to mitigate the incident. Be sure, as well, to hold an after-action meeting so you can review how the event unfolded and how well you responded. This is to protect yourself as well as your organization. This should be completed within a reasonable timeframe after an incident because you want to make sure the event is fresh in everyone’s mind. 

As a CISO, you may want to consider having a non-company legal representative you trust on retainer. Then if you run into an issue where you are asked to do something that does not sit well with you or feel could be construed as unethical, you can ask for consultation and advice that is unbiased toward the company.  

CISOs should make sure their employers offer them the same cyber protection through directors and officers (D&O) liability insurance as the C-suite and board members receive. 

Disclosure requirements when it comes to cybersecurity incidents are currently muddled in a hodgepodge of state, federal, and international regulations. This makes it increasingly difficult for CISOs to understand what they are responsible to disclose during an incident. This probably will not change any time soon.  

This means for CISOs they need to proactively prepare by considering their liability in the event of cyber incident, ensuring they are documenting as much as they can during an incident, and being as open as possible with authorities during an incident.