The role of a CISO within an organization is to develop, implement, and enforce impartial, senior-level security policies for an organization. But what happens when, despite these efforts, a security breach happens? What legal culpability does a CISO have in this instance?
SolarWinds, a company that provides software for managing and monitoring computer networks, has once again made headlines as the SEC filed a lawsuit last week against the company and their CISO, alleging they defrauded investors by concealing cybersecurity weaknesses. Regulators found SolarWinds misled the public about the repeated cybersecurity risks it faced between its initial 2018 public offering and its December 2020 disclosure, including details about their 2019 cyberattack which affected 18,000 of their customers, including compromising over 100 Fortune 500 companies, federal agencies, and international entities.
As a CISO, a key part of my position is consistently researching trending cyber threats and news. In this research, I’ve encountered quite a few posts and articles about how the SolarWinds story has CISOs fearing for the future. There will be questions and scrutiny about whether Timothy Brown, the CISO of SolarWinds, was honest and forthcoming with the business’ cybersecurity posture, or if he concealed the company’s cyber risks from company leaders and shareholders. While it’s fair to question what power the SEC regulators have to investigate and sue for these actions, it is also important that we understand exactly where liability lies -with the business or the individual CISO. Ultimately, the courts will make this decision and precedent may be set that will have a lasting effect on the CISO role across industries.
In 2019, SolarWinds and many of their clients were victims to what is known as a Supply Chain Attack. When the 2019 attack was revealed, it shook the business and IT world, but it was a positive catalyst for some much needed change. At the time, Third-Party Vendor Management was lackluster and, often, non-existent for many organizations. Businesses were utilizing several on-prem and cloud applications, such as SolarWinds, without fully vetting the security of these applications and the business practices of the vendor.
Flash forward to today, while far too many organizations still have room for improvement, many businesses have added Supply Chain Management solutions, bolstered their Third-Party Vendor Management process, and are being rightfully critical of their vendors and partners. This is a time-consuming process in which compliance and security teams are responsible for gathering this information from vendors and and analyzing it, on a regular basis. Often, compliance certifications such as SOC 2 or ISO can help expedite the process, however there are often other considerations that those compliance frameworks don’t address. As a customer of a vendor, you are at the mercy of these vendors as businesses as well as their compliance and security departments.
With SolarWinds as an example, consumers must wonder; if there are businesses that are bold enough to be dishonest with the SEC, what may these same businesses tell their clients in order to earn and maintain their business? Collecting information about an organization’s security posture and reviewing it is one thing, being able to trust it and verify it is another - data can be easily manipulated by using ambiguous language or selective framing after all. Accountable CISOs and business leaders must recognize the potential risks working with outside partners hold and take the necessary steps to both identify them externally and prevent them internally.
The outcome of this case will likely have long-lasting implications, and those that are lagging behind and/or putting profit over everything else may be in for an uncomfortable reality check. The relationship between CISOs and the rest of the C-suite and boards should immediately be evaluated in many organizations to ensure a CISO is given the appropriate platform and support to be brutally honest and transparent, as well as the power to enact change in an organization when needed to reduce risk.
There is question as to whether the CISO position within an organization should be kept internal or the right solution is to shift towards an external entity, such as a vCISO. This practice would introduce an impartial third-party that has less personal stake or financial benefit in how the security policies they establish may affect the business’ immediate bottom line. Thus, a vCISO can perform their role as intended and be an unbiased advocate for cyber hygiene and an excellent security posture within their organization. The job of a CISO is not to make a company's security posture seem good, but rather ensure it is good and address where it falls short.
A CISO and the security and compliance teams within an organization must be analyzing their respective organization with an objective lens that considers the full picture. Relying solely on compliance and security framework requirements will reduce risk in an organization, but they aren’t guaranteed to address the biggest threats and risks an organization actually faces. Legal cybersecurity complexities are only going to continue to grow. It is up to leaders to decide what level of risk they are willing to take on for their business, but it is also up to CISOs to decide what level of risk they are willing to take on as individuals.
Entara: Your Trusted Cybersecurity Advisor
Entara’s vCISO service can give you the peace of mind that your business, people, and data are safe and secure from evolving cyber threats. We offer complete, integrated IT and cybersecurity solutions tailored to your company’s unique needs and challenges that help you meet industry regulatory requirements. We employ a range of security integrations and technology services to better protect your system, network, and data. Connect with us to learn more about how we can support your organization.