As former SolarWinds CISO Timothy Brown faces charges from the SEC for fraud and internal control failures tied to undisclosed cybersecurity risks, it’s clear that the liability landscape for security executives has changed.
Although CISOs have always carried the complex responsibility of securing critical systems and data, the SEC’s decision to assign personal liability to Brown for failing to fully disclose these risks has signaled a major shift for the CISO community. Expectations and consequences are changing, and the SEC can now hold CISOs legally and financially accountable for cybersecurity shortcomings or improper cyber risk assessments that occur under their watch.
In addition to liability concerns, these types of incidents also pose significant risk of hefty compliance fines and a negative public perception. To prevent these issues, CISOs are tasked with implementing important changes to protect their organization’s security posture. Today, we see a pressing need for industrial organizations to better understand their cyber risks, and it’s also imperative to eliminate silos between CISO/CSOs and other C-suite executives like CFOs to mitigate the detrimental impacts to a company’s bottom line when risk does not get documented properly. We need to equip CISOs to perform this new duty and bridge the chasm between different teams that usually have different drivers and speak a different lingo.
Weaknesses within the critical infrastructure industry
Organizations with a tie to operational technology assets and industrial control systems for critical infrastructure – including the transportation, manufacturing, large data centers, energy, and oil and gas industries – are particularly susceptible to cyberattacks. This susceptibility has been exacerbated by the integration of remote monitoring tools like IT and IoT, which have introduced new avenues for cybercriminals to attack and increased the stakes for CISOs.
These vulnerabilities come with great costs – monetarily and also in terms of increased legal implications. The interconnected nature of these environments also means that a breach could result in a domino effect with sequential failures and the potential to endanger the health and safety of the public. Because the tie to public welfare, the likelihood of legal repercussions following a security breach in one of these industries remains higher than others.
Relationships between CISOs and CFOs evolve
The SolarWinds case points to the necessity for clear and consistent communication between CISOs and other C-Suite executives. Without ongoing, open dialogue between these leaders, it’s impossible to guarantee complete awareness of the range of complications associated with potential cyber risks. Now that we’ve seen how these risks can easily extend beyond security concerns and into catastrophic financial and legal issues, it’s important that conversations about these risks are not taking place exclusively among CISOs.
The roles and responsibilities of CISOs and other C-Suite executives vary dramatically, which can naturally result in siloed processes and priorities. However, to ensure alignment and effectively protect an organization from data breaches and legal recourse alike, it’s imperative that business leaders learn to “speak the same language” and share information to align their efforts and goals.
CFOs and CISOs must collaborate to evaluate the relationships between cybersecurity incidents and legal risks. We can facilitate this by leveraging cyber risk quantification and management tools, which congregate data to calculate, quantify and translate information about threats and vulnerabilities into lay terms and easily digestible data.
Considerations looking forward
The recent SolarWinds news has also highlighted that simply meeting requirements is no longer satisfactory for compliance purposes. The heightened accountability we’ve seen demonstrated in this case further emphasizes the need to continuously monitor security infrastructure and confirm that adequate cyber defenses are in place before a breach occurs. By embracing proactive cyber risk management and integrating tools that offer a comprehensive picture of risk exposure, CISOs can stay ahead of potential incidents and close critical gaps, safeguarding themselves and their organizations from a wide range of issues.
Looking ahead, organizations would also greatly benefit from adopting a “team sport” approach to security operations. By creating space for everyone to participate in security-focused conversations, CISOs can establish an emphasis on cybersecurity that spans the entire organization. Along with reinforcing the importance of cyber risk management to business operations, clearly communicating risks and concerns to senior leadership teams and advisory boards increases the likelihood of receiving approval for funding and resources necessary to fully mitigate identified risks. Additionally, incorporating other employee teams into an organization’s cyber risk strategy establishes cybersecurity as a shared business priority as opposed to a siloed goal within the IT and OT departments.
Jose M. Seara, founder and CEO, DeNexus