If someone is paid for a service and does a poor job, there should be repercussions. If someone gives you a bad haircut (not that I would know anything about that), you likely want recompense, and after enough bad haircuts, you likely expect them to lose their job. This is the case in many scenarios; Bad service typically equates to some form of compensation for your inconvenience. In the corporate world, doing a bad job sometimes equates to an unsatisfactory performance review, and after enough of those, the employee in question is shown the door. Conversely, we expect a job well done to be rewarded. A great haircut gets a tip, and consistently strong performance translates into raises, bonuses and promotions.
This concept has been top-of-mind ever since Tim Brown, the Chief Information Security Officer (CISO) of SolarWinds, was charged with fraud. A variety of headlines speak of the shockwaves this news is sending through the CISO community. But how much danger are CISOs really in? Let us examine some elements of this situation.
First, it is essential to acknowledge that this is a civil, not criminal, charge. Some possible outcomes of a civil charge would be fines and barring Brown from serving on public boards of directors. These cases may be subject to criminal charges, which, as one might expect, could lead to more significant liabilities. Brown was not charged with being an incompetent CISO, but rather, with being fraudulent. Namely, internal statements about the Orion platform hack were compared to external statements and were found to be materially different (allegedly).
In light of these findings, a new precedent could be set. This has several interesting implications. First, suppose that after every hack, an enterprise can expect to receive a subpoena for its emails and documents related to the event. In that case, it follows that a reasonable organization would no longer permit any employee to write anything about an incident. This would irrevocably damage an enterprise's ability to respond to active incidents by restricting communications to face-to-face conversations or written communication exclusively through expert witness firms (under the US Federal Rules of Evidence 702 [FRE 702]). This practice would be a boon to such organizations, and anyone looking for a detailed accounting of an incident would be highly incentivized to consult with such enterprises instead of building out their own expertise.
This would also have an extreme impact on an organization’s risk management program. No longer could staff have open and honest conversations about broken or missing controls and the consequences that could ensue. Instead, there would be a convoluted chain of attorney-client-privileged (ACP) exchanges with outside consultancies providing risk management services. Only the most perfunctory internal risk operations would exist. It would severely disincentivize an organization from collecting and categorizing internal incident and event data for its cyberrisk quantification (CRQ) program, which would in turn torpedo any data-sharing agreements in the private sector.
There is also the question of whether the CISO must now be included in an enterprise’s directors and officers (D&O) and errors and omissions (E&O) insurance policies. This surely should have been enacted a long time ago, however, it would not have helped in the SolarWinds case because these policies exclude fraud claims. Even so, there is much to be said about an organization that had not considered this before. If the CISO is making material statements about an organization’s security, then they absolutely need to be included in these policies.
I suspect, however, that some of this is hand-wavy scaremongering. First, if the reports are accurate, the accusation is that the CISO reported verbatim, “Well, I just lied,” in internal communications. Most chief legal counsels would advise against anyone doing this, regardless of their position and capacity. Second, the material disclosures were germane to the strength of their passwords. We are on the cusp of having the investor community pay greater attention to the security control postures of organizations. However, I doubt that there is a level of sophistication as of yet that would allow them to make an informed decision about a single control, absent some sort of benchmark.
This is a seriously unpredictable time to be a CISO. Above all else, what is needed is clear communication of cyberrisk directly to the board by the CISO in financial terms. Only then can enterprises truly make informed decisions about what is and is not reasonable. These decisions and their basis for being made can be relayed to investors, who are then empowered to reflect their confidence (or lack thereof) in pricing an enterprise’s shares. The transparency of financial reporting does not happen through ACP, nor should security reporting. So, should a CISO be sent to jail if their organization is hacked? Well, maybe, and certainly if they are convicted of committing criminal acts. But I suspect that this will be a very rare occurrence, much in the way that it is for chief financial officers (CFOs) and other officers of an organization. We must always be wary of slippery slope arguments, especially so close to the events that spawned them.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC
Is a cyberrisk quantification expert, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.