Responsibility without authority is the real risk: At the heart of the SolarWinds lawsuit was a familiar problem for security leaders: responsibility without authority. The dynamic that caught Tim Brown in the SEC’s jaws is that, despite his experience, seniority, and title, he, like most CISOs, carries tremendous responsibility without any real organizational authority to back him up, with concerns around personal liability in the face of that further souring many CISOs on the role.”We have a lot of the responsibility and very little of the authority,” Knostic’s Evron says. “The organization manages the risk. Our job is to present the risk and to manage the risk once the organization decides what risk to take.””We work in a larger ecosystem,” Noma Security’s Kelley adds. “We are not all-powerful. We cannot make all decisions in a company. We must work within the budget. We can advocate for a budget, but then the budget is decided collaboratively by the business. The same with our resources for headcount, or decisions on what is allowed or what’s not allowed in terms of new controls or new policies.”However, since the lawsuits against Sullivan and Brown first emerged, CEOs and other high-ranking decision-makers have increasingly come under more pressure to accept some of the cyber incident legal liabilities that have often been the sole province of CISOs.”In my case, at my sentencing hearing, the judge turned to the prosecutor and repeatedly asked, ‘Why isn’t the CEO charged?’” Sullivan says. “The judge literally said, ‘As far as I’m concerned, the CEO is at least as culpable, if not more, as anyone else inside the company when it comes to the situation.’”Sullivan adds, “In Australia, in the Qantas case, the board took away the bonuses for the CEO and a bunch of others. In one of those DOJ civil cyber fraud cases, the Aero Turbine case, they pierced the corporate veil and went after the private equity firm as well. There is a growing recognition inside government enforcement authorities that if you want to change corporate behavior, you’ve got to aim a little higher than the CISO.”
How CISOs should protect themselves: If the SolarWinds case clarified anything, it’s that relief is temporary and preparation is essential. CISOs have a window of opportunity to shore up their organizational and personal defenses in the event the political pendulum swings and makes CISOs litigation targets again.”I feel that the SEC staff over the past five to ten years has become more educated and has a more in-depth understanding and knowledge as to how this all works,” Alston & Bird’s Peterman says. “CISOs should be breathing a sigh of relief with this development, but I would be cautious about reading into it too broadly based on shifting changes within this administration or the next one,” Peterman adds.”Brown had to live through five years of this, first, investigation and, then, litigation,” she says. “And I assume that comes with a significant personal toll, psychological toll, and physical toll. [Brown suffered a heart attack during the litigation.] If CISOs don’t have the necessary indemnification agreements or directors and officers [D&O] insurance protections via the bylaws or by agreement, it can also mean that even if you win, it carries a significant financial toll.”Noma Security’s Kelley emphasizes that CISOs will still be the face of cybersecurity for most organizations, which means continued diligence in how risks are communicated. “When customers or regulators or investors need answers, none of that has changed [as a result of the SolarWinds dismissal]. One of the takeaways is being very intentional and accurate in how we communicate about our programs.”Sullivan advises CISOs and other security leaders to become proactive and communicate throughout the organization what they need. “It’s really important that we not sit in the corner and just let all the risks sit on our shoulders,” he says. “We have to engage with the rest of the executives and the CEO and say, ‘Look, cybersecurity is a company decision.’”He also stresses that the CISO community owes a debt of gratitude to Brown for his fortitude. “A lot of us are really grateful for Tim for how he didn’t disappear during this process,” Sullivan says. “He spent a lot of time out at different events, typically closed-door ones, meeting with a lot of people. I had the opportunity to be on panels and calls with him where he and I shared a stage. All of us are very happy that Tim made it through this in one piece, and that he’s standing and that he still has his job.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4109992/what-cisos-should-know-about-the-solarwinds-lawsuit-dismissal.html
