In July, SolarWinds CISO Tim Brown and CFO Bart Kalsu found themselves in hot water as they received Securities and Exchange Commission notices of potential enforcement action. The action was related to their alleged violation of securities laws in response to the Russian hack of the Orion network monitoring software in 2020. The software, which is used by over 30,000 organizations, was compromised in the attack.
This incident is just one of several high-profile cases where chief information security officers (CISOs) have faced individual scrutiny for their decisions and actions. As companies continue to handle and access more personal data than ever before, regulators are demanding greater accountability and responsibility from security executives.
Looking back at past cases, two other notable examples come to mind. In May 2023, former Uber chief security officer Joe Sullivan was sentenced to three years’ probation and fined $50,000 for covering up a massive data breach that occurred in 2016. At the time, Uber had recently disclosed another data breach from 2014 that resulted in an FTC investigation. The 2016 breach involved hackers contacting Sullivan directly and stealing the data of approximately 57 million users. Sullivan paid the hackers $100,000 to keep the breach secret from the FTC, leading to his criminal charges.
The case raised concerns among information security professionals, who were worried about the potential liability they could face in similar situations. Many of them believed that Sullivan had done nothing wrong. In the end, Sullivan avoided jail time due to the volume of support he received from industry peers, friends, and family. Nevertheless, the message from the Department of Justice (DOJ) was clear – corporate executives must not conceal important information from the public to protect their reputation.
Another case that highlights the growing scrutiny of CISOs occurred in April of this year. Carlos Abarca, the former chief information officer of TSB Bank, was fined £81,620 (US$103,900) for operational resilience failings. The Prudential Regulation Authority (PRA) found that Abarca had breached its Senior Manager Conduct Rule by failing to ensure that TSB complied with PRA Outsourcing Rules. Specifically, Abarca didn’t take reasonable steps to ensure that a third-party service provider contracted by TSB was capable of handling its responsibilities.
The consequences of Abarca’s failure were significant. In 2018, TSB migrated data to a new IT platform, resulting in technical failures that disrupted banking services and affected a large portion of its 5.2 million customers. The disruption continued for months, causing frustration and inconvenience for many. The case emphasized the importance of senior managers taking responsibility for ensuring that firms effectively manage and supervise outsourcing.
These high-profile cases demonstrate that senior executives can no longer escape accountability for security failings that impact their customers, shareholders, and the wider market. As a result, the role of the CISO is evolving, and greater responsibility and scrutiny come with it.
However, with increased responsibility should come increased compensation. Will CISOs demand higher salaries to reflect their elevated accountability? And will this, in turn, lead to even greater scrutiny from regulators and stakeholders? These are questions that need to be considered as the role of the CISO continues to evolve.
During a panel at this year’s RSA Conference in San Francisco, Gadi Evron, CISO at venture capital firm Team8, highlighted the uncertainty and concern among CISOs following Joe Sullivan’s trial. Many were questioning their role in light of the fact that Sullivan was the only one standing trial. To mitigate the risk of liability, experts suggest conducting crisis communication drills, defining and understanding CISO role responsibilities, using the correct terminology, and maintaining composure in high-pressure situations.
Ultimately, preparation through practice is key to effective business continuity and incident response plans. CISOs and their teams must be ready to respond to cybersecurity incidents and crises, ensuring that the organization is well-equipped to handle any potential security breaches and protect the public’s sensitive information. The evolving landscape of cybersecurity demands proactive and well-prepared security executives who are accountable for the safety of their organizations and its stakeholders.