The role of the chief information security officer (CISO) is undergoing significant evolution as the responsibilities and expectations for the position continue to shift. Recent events, such as the Securities and Exchange Commission (SEC) charges against the SolarWinds CISO, have raised concerns about the personal legal responsibility of CISOs in the event of a cyber incident. It is essential for cybersecurity industry leaders to understand the implications of these changes and adapt to the evolving landscape of the CISO role.
The SEC’s charges against the SolarWinds CISO have created a deterrent for the role at public companies. The increased personal legal responsibility has left CISOs feeling on edge, as they are now seen as potential “fall guys” in the face of a cyber incident. This has prompted some CISOs to reevaluate their positions, as seen in the case of Clorox’s CISO leaving the company after a major cyberattack in December. The precedent set by the SolarWinds case highlights the need for CISOs to be more involved in cybersecurity operations and to collaborate closely with individual security teams within their organizations.
In addition, CISOs must ensure that they are working at high-integrity organizations with strong teams surrounding them. The increasing number of global cyber incidents and evolving disclosure and privacy regulations necessitate close communication between CISOs, legal, compliance, and senior business partners. This level of collaboration and trust is essential, as fears around accountability continue to grow, and the potential for whistleblowers to expose unsafe cybersecurity practices becomes more significant.
Importantly, CISOs must anticipate that the rules of accountability can change at any time. While the current focus is on holding CISOs accountable, the industry may soon see a wider umbrella of responsibility that extends to CEOs and COOs. The Cybersecurity and Infrastructure Security Agency’s Draft Secure Software Development Attestation Form is already signaling a shift in accountability to the very top of organizations, which could have significant implications for CISOs in the future.
Furthermore, CISOs must recognize that being always on is part of the role. They must remain forward-looking and proactive in understanding new risks and global conflicts that can impact their organizations’ security posture. The job of a CISO is not just to remain compliant but to be an essential decision-maker regarding every security matter within an organization.
In conclusion, the role of the chief information security officer is in a state of flux, driven by changes in legal accountability, organizational integrity, evolving regulations, and a shifting landscape of cybersecurity responsibilities. It is crucial for CISOs to adapt to these changes and be more proactive and involved in all aspects of cybersecurity to ensure the security and integrity of their organizations. This evolving landscape may present challenges, but it also offers an opportunity for CISOs to elevate the importance of cybersecurity at the C-suite and board levels and avoid individual liability.