Given my background, I empathize with cybersecurity leadership and can’t imagine trying to do the job at current expectation levels during the storm in which we find ourselves. The competition between business unit owners driving toward the 4th industrial revolution, pockets of shadow IT running unknown quantities of cloud sessions, increased dependencies on supply chains, open-source everywhere, new heights of network complexity, a lack of available resources to fill the gaps and increased sophistication and smarter attacks from cyber criminals along with promises of safely and security from 4,000 point solution vendors would drive anyone crazy.
If you have a CISO who appears to be keeping the lights on, make sure s/he is happy.
For every competent CISO, there must be a dozen who aren’t.
But CISO leadership is not limited to technology choices, maturity programs, operations and governance and the provisioning of adequate detection and protection capabilities to assure a computing environment is safe from bad guys.
Leadership is responsible to the company and shareholders to do everything possible to assure maximum protection and the implementation and support of well-thought-out and carefully designed defense, leveraging the best and most effective technology tools, the optimal use of available resources, the appropriate levels of education and training delivered to the right people at the right time and communication with C-suite and Board members at a level where both sides can operate from the same page of the playbook, at all times.
In addition, in most corporate IT environments, the relationships between the IT leaders and the security leaders appear opposed or operate with a substantial amount of friction. One requires absolute cooperation with the other to enable their programs and achieve their goals, cooperation that is not always forthcoming.
The relationship between the board, C-suite and the CISO is often ill-suited to the execution of actionable programs as the definitions of accountability and responsibility are soft-peddled and generally ignored by the senior party.
This translates to responsibility and even accountability on paper but not extended in fact or downright withheld in practice, leading to mistrust and an inordinate amount of anti-productive meetings, analysis and proposals.
My experience is that the board simply does not trust either the IT or Security leadership; they don’t trust that either team understands the business or could make the right executive decisions were they in charge, and as a consequence, the board will not relinquish the reins of leadership outside of their domains. The CISO doesn’t seem to be able to grasp business basics or understand for example the notion of risk transfer.
We hear frequently that 99% of global business leaders claim cyber risk is the greatest risk facing our economy and when Fed Chairman Jerome Powell said on 60 Minutes that the greatest risk to the economy is cyber risk, we assume that our business leaders are all on the same page.
They don’t worry about inflation, another financial crisis or another pandemic — they worry about cyber risk.
The World Economic Forum (WEF) Global Risk Report 2022, tells us that the top three short-term risks to the world, as defined by its survey of 650 WEF leaders, are infectious disease, income inequality and extreme weather events. The fourth is cybersecurity. Nearly 40% of WEF leaders cited cybersecurity as a “clear and present danger” to the global economy.
While we have seen some degree of global cooperation around the first three issues, we have not seen that same level of cooperation around cybersecurity. The Convention on Cybercrime (AKA the Budapest Convention) has been ratified by 65 nations, but focuses primarily on nation states assisting each other in the prosecution of cybercrimes, not addressing today’s nation states attacking private sector companies at will.
Are 65 companies asleep at the wheel or have they all signed up for Chinese protection under the BRI initiative?
Even though we have seen these attacks in action now for years, we still have no convention-like treaty that establishes rules of engagement for nation-states in cyberspace and provides a legal framework for the international prosecution of violators.
And as a consequence, nothing will change the global landscape for private or public leadership with regard to cybercrime and cyberattacks. Without modernized laws at a whole global government level, it is impossible to impress upon the decision-makers in private companies to break from the pack.
Risk transfer will remain the Xanzolam for board members unless and until our CISO leadership community determines that it is their responsibility to force reality into their presentations in a way that the board can both grok and understand the details of liability as they relate to their fiduciary responsibilities. Or until cyber insurance disappears as a risk transfer option.
Until then, business as usual.
As a result, without changing the way that CISOs manage their organizations, the lack of leadership will always be one of the great Achilles’ heels of the cybersecurity space. It is the equivalent of laws that protect retail criminals from prosecution if all they steal is valued at or under $950.
As even casual observers will recall, it only took Colonial one day to decide on a $5 million ransomware payment, in spite of aggressive Federal and Law Enforcement advice to the contrary.
That is risk transfer in action and it did nothing to help prevent another attack, either to Colonial or its brethren’s pipeline companies worldwide.
What we need is for the CISO to step into the breach – to embrace a true leadership role – which translates to defining a path forward that will minimize the probability of a catastrophic event. It is now time for the CISO to report directly to the CEO or the BOD. We are swimming in a new ocean now and if we expect CISOs to be held accountable with personal liability and fiduciary care duty, then s/he need to have the appropriate reporting and decision authority as well.
The Joe Sullivan Verdict
Following the Joe Sullivan verdict, I will be surprised if our next shortage isn’t the CISO role itself. Would you risk 8 years behind bars to defend a dysfunctional company’s assets without controls or authority for $500K per year? Of course not and when Sullivan’s sentencing becomes real for folks, there will be few willing to take that risk.
True leadership means having the courage to architect and promote an alternate approach to layered, defense in depth security models. It means embracing an enterprise-wide Zero Trust strategy. One that begins with third-party assessment, a rigorous identification of critical assets, an isolation of these assets through micro-segmentation and access protection through granular identity management and policy engines with fully saturated monitoring of lateral activity beyond initial entry through to behavior while on the networks and upon session exits, the dedication of fully staffed cybersecurity hygiene programs, and the discipline to adhere to best practices throughout.
It means translating that strategy into language that the board will understand and contextualize outside the standard threat/consequence matrix so that professional risk decision-makers can make determinations aligned with realities that they can now understand.
SEC Steps In
To sharpen the point, the SEC just announced a new rule that will soon compel corporate boards to take cybersecurity seriously, whether they want to or not.
Under rules expected to be finalized by April, publicly traded companies that determine a cyber incident has become “material”—meaning it could have a significant impact on the business—must disclose details to the SEC and investors within four business days. That requirement would also apply “when a series of previously undisclosed, individually immaterial cybersecurity incidents has become material in the aggregate.”
The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight of cyber risks. That info includes identifying board member(s) who will be responsible for cybersecurity and publishing their relevant expertise. Required disclosures will also include how often and by which processes board members are informed about and are able to discuss cyber risk.
These SEC rules are designed to compel boards to start addressing cybersecurity in terms of business value. Senior executive IT roles like the CISO would allegedly see both expanded importance in contextualizing the possible impact of breaches and scrutiny of how they are working to minimize risk.
While it is slightly annoying that it took the SEC to create what we’ve been carping about for years, progress is progress and we’ll take what we can get.