I’ve led security functions and established cybersecurity board reporting processes for over 25 years. The relationship between CEOs and CISOs has always held contradictions and the decisions around when to disclose a breach have always been hard. But the recent developments involving the SEC and SolarWinds is a regulatory game-changer for the CISO community. Still, I think we’ll all ultimately come out OK from this if we behave ethically.
New ethical lines are being drawn very quickly and publicly as teams figure out the lines between good judgment and fraud. I have no intention of moralizing here about the SEC’s allegations against SolarWinds and their CISO. Rather, I’d like to shine a light on the underlying principles of disclosure that have served as my own ethical compass, and which I think remain unchanged.
When all is said and done, CISOs have two clear principles at their disposal to draw their own ethical boundary lines in the sand.
Speak truth to power: It’s vital to tell it how it is to leadership… and now, to the SEC. We must be empowered to do so. Once an incident has been established as material (a term that’s still being defined), the clock is ticking on legal disclosure. Avoid spreading falsehoods to further personal interests and avoid consequences. Those days are over. Lies carry legal consequences now.
Timely Action: Whenever it’s time to act, do so with integrity. Prioritize doing what is right even when it would be so much easier to do nothing.
CISOs are entrusted with the responsibility to say something when we see something. I once led the response to a nation-state attack and major breach of at least 10 companies, of whom a grand total of one agreed to join forces with us and investigate the breach when it was first detected. The rest buried their heads in the sand. I don’t necessarily blame the security teams for that inactivity. In some cultures, CISOs get blamed and get fired for the breach even if it’s a zero-day exploit. They can get pushed aside and shouted down by the C-suite in the interests of safeguarding stock price. I think those days are over.
First steps and a crucial decision
Breaches in real life do not play out like they do in the movies. There is no central monitoring system full of fancy displays. There’s no forensic expert from CSI Miami pacing the floor and explaining the breach’s origins, how far it’s spread, or the extent of its costs and damages. You don’t know the attacker’s intent, origins, or tactics; or anything else, really. Oftentimes, all you have to go on is that one system is sending suspicious traffic to another system. From there, it’s up to the CISO to act, or sit idle. And that’s your first ethical hurdle: act or look away.
Given recent developments, some may be tempted to turn a blind eye for as long as they can to avoid personal legal consequences. But despite its popularity in some business cultures, burying one’s head in the sand is not a successful incident response strategy.
Navigating the Evolving Landscape of SEC Disclosure Regulations
The C-suite’s goals and incentives are misaligned with information security. It’s not entirely different from the old divide between CFOs and CEOs over financial disclosures 25 years ago, pre-Enron and the Sarbanes-Oxley act. Hopefully, this SEC rule crystallizes cybersecurity culture and transparency for the C-suite, and gives the CISO a more prominent seat at the table.
My greatest concern with this SEC decision is if it pushes the companies who have a culture of “sweeping the problem under the rug” to go sweep breaches even deeper. Because of that, I hope the CxO community together with their CISOs, CIOs, CTOs and other relevant stakeholders have deep conversations about their approach in the future. The CISO role will need to have certain guarantees of empowerment.
A colleague of mine at Nokia once said, “Strategy is not a list of all the things you could do to make the world perfect, it is a list of things that you carefully select to do and other things that you decide not to do.” Strategy ultimately comes down to the focus you need to be a winner.
This focus applies exactly to cybersecurity. Take a risk-based approach, identify what the biggest risks are and put resources into mitigating those risks. Some CISOs today still try to fulfill every requirement listed in the security standards of the profession. But by aiming to do it all, they lose focus on what matters most, and they are doomed to fail at some stage.
The Board of Directors should be asking CEOs and executive leadership teams the following:
Are your employees helping prevent and detect real attacks? Has this crowdsourced threat intelligence been connected to the Security Operations team?
Do we have MFA in place with 100 percent coverage of all the externally exposed services? That alone will cut your phishing risk in half.
How fast is our process to fix the externally exposed systems when misconfigurations and vulnerabilities are revealed?
Are our Tier 0 services an impenetrable fortress?
Addressing these four areas will reduce your cyber risk, and worry, considerably. No, they are not silver bullets, but they are the cornerstones that will most likely send the big bad wolf from your house of brick to a house of wood or straw.
Navigating these complex intricacies poses significant challenges, from recognizing the incident to the disclosure process, and these situations underscore the crucial role of maintaining one’s integrity throughout. Always bear in mind: If you find yourself terminated for doing the right thing, your company has the wrong culture and you’re ultimately going to come out ahead. Being temporarily unemployed is better than going to prison.
Photo credit: Den Rise / Shutterstock
Petri Kuivala is a CISO Advisor at Hoxhunt and the former Chief Information Security Officer of Nokia and NXP Semiconductors. Kuivala has worked with many large multinational corporations like Siemens, Qualcomm, and Microsoft, is a founding member of the Helsinki Police Department IT-Crime Unit and was part of the Interpol network of Computer Crime Investigators.
