For some time, the responsibility for cybersecurity events has been gradually moving up the chain. More and more, it has been going straight to the top.
Thanks to legislation like the SEC’s Cyber Disclosure Rules, the industry is seeing a new day for cyber accountability, and it is one that includes a lot more CEO oversight, burden, and liability. Historically, it has been the CISO who has been holding the bag. Now, CEOs are being seen as increasingly responsible for their part, which includes funding and support for CISO initiatives.
Before, CISOs Took the Brunt of the Blame
It’s well-known in the industry that the average tenure of a CISO is about 2 years. One of the main reasons is that they work in environments that are significantly underfunded and under-resourced and are expected to deliver on impossible expectations. If a significant incident occurs, they get scapegoated since their title implies that they are the ones responsible and should be held accountable. For years, this meant separation from the organization, and the CISO moved on to their next job.
It is understandable that CISOs represent the tip of the spear when it comes to cyberattacks, but the role of a CISO is often misunderstood. They are limited to the resources they have at their disposal, and any cybersecurity initiatives they want to put forth must be supported, funded, and approved by another higher-up. Typically, the one with the authority to make those kinds of allocations and decisions is the CEO — and industries everywhere are starting to take note of what that means, especially in the realm of cyber debacles.
Now, the Industry Is Getting CEOs Involved
Typically, the CEO will allocate funds and resources to meet specific requirements only when legally mandated. Any additional funding approved by the CEO usually goes towards business growth, including increasing revenue, market share, and demand.
Historically, CEOs have not been held accountable for security-related incidents, as their focus is on their own areas of accountability. However, the new SEC Cyber Disclosure Rules have introduced a section that includes CEO accountability. This shift in accountability is expected to foster a closer and more robust partnership between the CEO and their CISO, and to promote additional transparency across the C-Suite and the board of directors in relation to the organization’s risk management program.
Publicly traded companies with headquarters within the U.S. have four days to disclose a material breach, according to the SEC disclosure rules. There is not (yet) a similar disclosure requirement for international companies with headquarters outside of the U.S., so for the time being, we should expect business as usual for those entities, with just enough effort to comply with the disclosure requirement.
Why Increasing CEO Cyber Accountability Makes Sense
This shift in accountability is expected to foster a closer and more robust partnership between the CEO and their CISO, and to promote additional transparency across the C-Suite and the board of directors in relation to the organization’s risk management program.
CISO’s do the best they can with what they have but all too often their resources are out of their control. Instead of immediately assigning them the full force of the blame when cyber incidents happen, industry (and legislative) trends are starting to shift to other parties who also bore responsibility. CEOs make decisions on the budgets and resources feeding cybersecurity initiatives, and more and more, are starting to be held accountable by their board of directors for what happens when those budgets and resources may not be enough.
This forces CEOs and CISOs to come to the table and share a common fate. This will also encourage increased sharing of common resources, which will benefit both parties in the event of a security fallout.
CEOs Sharing Responsibility for Incident Reporting
The (relatively) new SEC disclosure rules necessitate a joint team of collaborators from across the C-suite and security aisles. Jeff Moline, General Manager at Fortra, states that this will happen in two parts:
First, the CISO and CIO will need to ensure that the CEO and board of directors “receive concise, actionable data about cyber risks and incidents.”
Next, the board will need to determine how those cyber incidents could affect the organization’s risk profile.
It will ultimately be the CEO’s responsibility to ensure that their organization complies with all regulatory obligations under the new SEC requirements.
In this paradigm, the CEO is at the helm, leading a team comprised of stakeholders, board members, and the CISO. Putting the CEO “at the top” of the cyber incident food chain reflects the changes which we are beginning to see, starting in part with the SEC Cyber Disclosure Rules, in which the CEO must account for the actions that occurred at their organization which impacted or contributed to a cyber breach.
As affirmed by Joe Sullivan, CEO of Ukraine Friends, in Dark Reading, “With very few exceptions, the CISO or senior-most security leader is simply not the ‘responsible corporate officer.’ It’s the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks and instead allocate resources in other directions.”
CEOs Next in the Hot Seat?
While the majority of security legislation has yet to lean towards implicating the CEO “full-time” for unfortunate cyber events, that day might not be far off. As noted by Sullivan in the Dark Reading article, at a hearing where the CISO was brought to trial, “the judge made it a point to challenge the Department of Justice and ask why the CEO was not brought to court.” Other similar instances are starting to crop up:
CISA now requires CEOs (not CISOs) to sign its pledge to use secure by design principles when selling software.
A letter from Sen. Ron Wyden (D-Ore.) to the Federal Trade Comission (FTC) and Securities and Exchange Comission (SEC) urged that, when investigating a ransomware attack, the CEO and the role they played be also taken into consideration.
When security failures resulted in the data exposure of 2.5 million customers, the FTC took action against the company’s CEO.
Will the trend towards CEO accountability continue? It looks like it. Now, organizations exist explicitly to help CEOs “understand their legal duties around cyber security and teaches them how to manage the senior executive team according to recognized cybersecurity models” and limit their liability in the event of a cyberattack.
Even the Enron scandal, which led to the creation of the Sarbanes-Oxley Act (SOX), pushed the needle towards ultimate CEO accountability, albeit in finance. The direction is likely to continue into cybersecurity as well, as it already has. The only safeguard against CEO-implication in future security events is a proven history of CEO involvement, investment, and cooperation in the cybersecurity process.
Fortra Is Secure by Design
Fortra has signed CISA’s Secure by Design Pledge because we believe that software should be safe to use on day one. That is why we are committed to developing software that is built securely, with secure components, and comes with secure defaults.
Explore our Solutions
Fortra's cybersecurity and automation offerings give you the tools you need to meet the challenges of today's threat landscape head on while streaming and automating your IT and security infrastructure.