Peer of the Realm
The problem with trying to make someone a scapegoat is that they can very easily become a ram if you’re not careful.
It was recently reported that the Securities and Exchange Commission is expected to charge the CISO of software company SolarWinds with fraud:
“for his role in allegedly lying to investors by ‘overstating SolarWinds’ cybersecurity practices and understanding for failing to disclose known risks.’”
For those who don’t track these issues closely, the SEC focus on SolarWinds is rooted in the fact that threat actors, commonly attributed to Russian intelligence, compromised one of the company’s applications, which in turn granted the intruders access to a number of high value targets in the US government.
Now everyone gets pwnd, that’s just a fact of life. Nobody expects anyone to successfully defend an organization against every threat, but it's not unreasonable to expect that when shortcomings are identified, that a good-faith attempt to remedy them takes place. Being caught short and owning up to it is a part of good leadership; lying is not.
Success as a CISO is measured in many ways, but at the highest level there are only a few steps you need to follow to succeed:
Understand the CEO’s philosophy when it comes to security. You will not formulate an effective security strategy without knowing where security rates within the organization and what is expected of it. Are you expected to build a world-class program or just meet a particular set of standards? Are you expected to fight off the cyber hordes and run every case to ground in preparation for a lawsuit, or is the priority to wipe-and-rebuild, and get people back to work? Get oriented at the get-go and you can avoid wasting time and resources - and just as important - avoid an adversarial relationship with your boss and, well, everyone.
Understand your authorities and limitations. The power of the “C” in your title varies widely depending on the organization. You should come out of your first meeting with the boss knowing precisely what you can and cannot do unilaterally, what is off-limits, and who you need to partner with for everything else. You fight this reality at your peril (at least until you’ve built up enough social capital to credibly push back).
Put forth your best (security) argument, and support the (business) decision. When given the opportunity to weigh in on a decision that has security implications, it is important to remember that your job is not to be the computer police. Your job is to put forth the best argument on behalf of security, and let the boss make the decision that is best for the company (literally their job and legal obligation). Things will not always go your way, and you have to be OK with that. If you are not, the proper course of action is to voluntarily look for a new job. Being obstinate will find you involuntarily looking for a new job.
Document everything. This isn’t necessarily or exclusively because you want to cover your ass, but because you want references to help you better understand issues and incentives and other matters that make the organization tick. Why did this initiative fail? Why does no one support the idea of X? You can study documentation and revisit things in ways that are more likely to succeed. At a minimum, documentation helps you avoid wheel reinvention. Also, yes, it helps cover your ass.
Don’t lie. Unless you’re the only person who knows the truth, and there is no documentation or evidence anywhere, your lies will be found out. When that happens (at least when the feds are involved) it's too late: you’ve already committed a crime. In a postmortem reasonable people can disagree on the soundness of a given decision at a given point in time under specific conditions, but you can’t take back the lie. If your livelihood is threatened if you don’t lie, see the previous recommendation, and put these guys on speed dial (if you don’t want to be a goat, learn how to be a ram).
“What’s the fallout going to be?” is the cybersecurity industry’s favorite parlor game right now. I think there are a couple of things we can expect, and at least one thing we can hope for.
- Not this year, maybe not next year, but SOX for cybersecurity is coming. Making the CISO and/or the CEO attest that actions have been taken and progress is being made to address vulnerabilities and deal with threats. That the declared state of the organization’s security posture is accurate (not perfect, accurate). Prison if you lie. You know: accountability and transparancy.
- Government looooves to tout public-private partnerships, but who in their right mind is going to cozy up to the people who at the drop of a hat will try to send you to prison? “Well if he hadn’t lied…” What if he was acting under duress? I don’t know about you, but I assume the accused and his children like to eat, and live in a domicile that isn’t made of cardboard. What if there were any number of factors in play we don’t know about? Where does the accused go to get his reputation back if it turns out the SEC is overstepping?
- The importance of developing additional skills beyond technology, policy, and practice will become paramount if one wants to assume CISO responsibilities. A working knowledge of the law at a minimum. The nature and issues impacting the business you’re in. Understanding board requirements and executive team dynamics. All the things you don’t care about but everyone else does.
If we’re very lucky, the next few years will see an increased level of clarity around CISO responsibilities. Clarity like you find with other CxO roles, but when it comes to security is still very hand-wavy if not outright ambiguous today (ask 10 CISO what they do for a living and you’ll get 11 different answers). Especially if SOX for cybersecurity becomes a reality, peer status with other CxOs is inevitable because no one will be willing to accept a role that is all risk and no reward.