Curated Content | Thought Leadership | Technology News

Search
Close this search box.

Sign In

Curated Content | Thought Leadership | Technology News

Does Your Authority Align With Your Accountability

A new reality for CISOs.
Erik Boemanns
Erik Boemanns
Contributing CISO

With the enforcement of the SEC’s new cybersecurity rules, CISOs at public companies are coming to grasp with a new level of accountability than they may have faced before. The SEC’s pursuit of personal liability against the CISO of SolarWinds only heightens the level of concern. These changes to regulations are causing companies to revise their corporate governance RACI (Responsible, Accountable, Consulted, Informed) charts to reflect the new requirements. 

Where SEC filings may have once been the responsibility of corporate counsel and the Chief Financial Officer, the CISO should now expect to be pulled into sharing some of the responsibility.  And when things go wrong, they will still be held accountable for any gaps leading to a cybersecurity lapse.

New Requirements

The new rules give public companies two new filing requirements. The first relates to material cybersecurity incidents. Companies will now be required to publicly disclose a material cybersecurity incident via an 8-K filing. The report is due within four days of management determining it to be material. While there’s much history around the definition of material in a non-cybersecurity context, the exact contours of it with the new rules will be developed over the coming years.

The definition of how much time companies can take to determine materiality, which the SEC only says must be done “without unreasonable delay,” will also need to be worked out. As this determination triggers the four-day reporting requirement, there will be a lot of questions about how much research and investigation into a breach is considered reasonable.

The second new requirement is part of the annual Form 10-K reporting. Now, companies will need to disclose their risk management processes around assessing, identifying, and managing material cybersecurity risks. Additionally, companies need to describe the board of directors’ oversight of cybersecurity risk. This includes how the board and management are responsible for these risk management processes. 

The SEC wants to make sure public companies are clear on lines of responsibility from the board through senior management. The “hand wave” of “our CISO has it” won’t be sufficient without more detail around how they “have it” and what support the board is giving them to be successful.

Figurehead No More

With most companies, the CISO is the accountable figurehead of the cybersecurity program. They have built a team, as well as policies and procedures, to make sure the responsibility for security lies with those most able to implement good controls. The software development team is responsible for writing secure software. The infrastructure management team is responsible for maintaining patches and updates. The security operations team is responsible for detecting active threats to the environment.  The CISO gathers the status of all the responsible parties and then reports it to other senior leaders and, hopefully, to the board as well. 

When the inevitable security breach occurs, it’s the CISO who is going to be explaining what happened and why to the board. It is also the CISO who is going to be helping draft the 8-K if it is determined to be material.

Taking the Blame

The risk CISOs face with their heightened accountability is they rarely have management oversight over those responsible for doing the work. To reduce conflict of interest, a CISO shouldn’t be in the reporting structure of the CTO or CIO. But while independence allows a CISO the ability to observe and prescribe, it doesn’t give them the authority to enforce requirements. If a software team has chosen to skip required steps in their secure software development lifecycle, it is their management (likely a CTO or Chief Product Officer) who has the authority to enforce or waive the requirements. 

A CISO’s only ability is to report the issue to management. And management has the right to accept the risk, even over a CISO’s objection. Unfortunately, when accepted risk later comes back to bite the company in the form of a cybersecurity incident, the blame often aims first at the accountable individual, the CISO.

Balancing Risk

The CISO is ideally a risk manager. They are framing cybersecurity risks in business terminology of loss avoidance. Cybersecurity investments should be less than the potential loss due to a breach. But, as with all risk management, it’s speculation about potential future loss. If they are wrong, the company may be spending more on protecting itself than the risk warrants. Or, the bad thing still happens, despite the investment in security. 

Both scenarios are bad for the CISO.  But the second will more likely run into the SEC’s question of whether the investment was reasonable to the risk.  Did the company do enough to mitigate?  Or at least, did they do what any other reasonable company would do in the same situation?  It’s an uphill argument to say you took reasonable precautions, when, in fact, those precautions failed to prevent the bad thing from happening.

This puts the modern CISO in an awkward position with respect to their job.  They will be accountable for risks but not have the authority to manage the same risks.  CISOs need to begin to review the company’s policies and procedures for how risks are assessed, mitigated, and reported.  They need to have a seat at the proverbial table for measuring the effectiveness of controls and the ability to control whether a particular risk is accepted by other management. 

Part of this will be to realign some lines of authority to the CISO.  For example, if team members are disregarding security controls, does the CISO have disciplinary authority over another leader’s team?  If the company is preparing an SEC filing, will they require the CISO’s sign off before publishing it?  What influence can they have over operations if they determine them to be a security risk? 

The Wrap

The role of the CISO is constantly changing, as the threats of cybersecurity are evolving faster than most companies can keep up. With greater public interest in knowing a company’s cybersecurity posture, it’s time for CISOs to evaluate their job descriptions or office charters and make sure they are gaining some authority to implement change. It’s time to look at how to align their executive authority to their executive accountability. 

It won’t solve all the problems headed their way, but it can at least put some teeth into the enforcement of good security practices where others may have more appetite for risk than is healthy.  And then, perhaps the CISO can stand the test the SEC, the public, and the market will be giving them. 

Save

Save

Sign in to comment

×
You have free article(s) left this month courtesy of CIO Partners.

About TNCR

Manage My Account

Sign In

Profile

Saved Articles

Explore TNCR

STAY IN TOUCH

NationalCIOReview.com Copyright (c) 2024 All Rights Reserved.

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Would You Like To Save Articles?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Save My Spot For TNCR LIVE!

Thursday April 18th

9 AM Pacific / 11 PM Central / 12 PM Eastern

Register for Unlimited Access

Already a member?

Digital Monthly

$12.00/ month

Billed Monthly

Unlimited Access

Digital Annual

$10.00/ month

Billed Annually

Unlimited Access

Learn More

Screen Shot 2023-03-07 at 3.51.33 PM
Germany could ban China’s Huawei, ZTE from parts of 5G networks
National security concerns are playing a role in Germany's decision.

Would You Like To Save Books?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Log In To Access Premium Features

Sign Up For A Free Account

Please enable JavaScript in your browser to complete this form.
Name
Newsletters