Attention CEOs: The Great CISO Renaissance is Coming

In 2015, the Boston-based security advisory firm K-logix predicted an increase of Chief Information Security Officers (CISOs) reporting to CEOs, and in 2017 the NACD provided provide guidance on boards on basic cyber security principles.  However, CISOs continue to struggle for widespread recognition as an executive officer.  Although the CISO is responsible for integrating privacy requirements into security program controls, the EU’s General Data Privacy Regulation (GDPR) introduced and catapulted a new role into the executive ranks in 2018. The regulation creates a new “Data Protection Officer (DPO)” role serving as a quasi-regulator for EU Data Privacy compliance enforcement who must report to the highest levels of management. Data Protection Officers usually fall under Compliance leadership function closely associated with the General Counsel or legal department, and are integral to the company’s data privacy program oversight.  In contrast, the CISO who is responsible for technology risk management may report through a number of executive functions depending on the industry and company. The General Counsel is no stranger to the executive table, so it should be no surprise that the new DPO role leapfrogged the CISO in the corporate hierarchy.

Although CISOs have been improving their business and risk management acumen by focusing on non-technology-based topics such as GDPR compliance, Third-Party Oversight and Enterprise Risk Management at recent security conferences, the majority of job descriptions for CISOs continue to describe both tactical and strategic duties and continue to list the role under a CIO or CTO.  In response, an increasing number of seasoned CISOs are opting for independent consulting work in the growing Gig Economy rather than struggling for budget and resources within a company only to be sacrificed when the inevitable data breach occurs. If the unique challenges with rank and responsibility continue, the role of the CISO could become a standard appendage to a company like an independent CPA firm or external counsel providing advisory guidance.  

If you are a CEO considering whether you want a CISO on your leadership team, I offer the following reminders regarding the CISO:  

• The role of the CISO is strategic, not tactical

Some organizations proudly announce they have passed their SOC 2 independent audit report without any findings to communicate the maturity of their security program.  If those organizations were expecting a “clean” SOC 2 audit report to eliminate the need for a customer assurance program, an experienced CISO knows that a SOC 2 report can be crafted to scope out the “dust and cobwebs under the carpet” and only focus on the shiny production service or solution offered to customers.   Rarely are SOC 2 reports accepted on their face as adequate governance of an enterprise risk management program. Additional audits and evidence will likely be necessary to satisfy partner and customer inquiries.

In another example, security solution providers usually begin their sales pitch by describing a legitimate business problem.  However, they quickly shift to focusing on the product features rather than recognize the business problem in context of other risks an organization may face as the company’s executive team would do at a risk review.

The fallacy in both of these examples is the assumption that successful execution of a tactical project will translate into a strategic solution.  The truth is that the problem being solved may or may not be significant in the organization’s big picture, and the CISO should not waste time and resources on low priority problems.  By elevating the role to the strategic level, the CISO will have the appropriate context to consider operational risk challenges within the organization. For example, a survey by Soha Systems reported that 63% of data breaches – nearly two-thirds – are attributed directly or indirectly to Third-Parties according to IAPP.  If the CISO is focused exclusively on the technology used to secure products or services, the company could be missing the larger threat from the access granted to merchants, vendors and subcontractors.  The operational risk has little to do with technology and more to do with processes and permission management.

• The role of the CISO touches the whole organization just like the Privacy Program

The privacy program and security program are complementary teams – like a right hand and left hand.  Although they serve similar functions within the organization, they are not the same. The privacy office defines the privacy requirements for the business and the security program creates and implements the controls needed to achieve those requirements.  Security and privacy programs are often combined under an Enterprise Risk Program. Much the same way a privacy program includes human resources, training, sales & marketing, corporate communications, legal & compliance, finance, and information technology stakeholders, so does the information security program.  However, the privacy program is dependent on the security team to implement the necessary controls. If the DPO reports to the CEO and/or Board of Directors, but the CISO is not at an equivalent level or is external to the organization, maintaining a current status of the security program may be more challenging than necessary due to office politics and hierarchy.  The right hand and the left hand should communicate equally with the brain to successfully perform a complex job requiring both hands, or the right hand may not know what the left hand is doing.

Similarly, if the CISO’s budget is nested within a CTO or CIO’s budget, re-allocating funds to other departments with deficient security controls is an uphill battle for the CISO.  Assume that the CISO has determined that risk associated with third-parties is the biggest risk for the company, but the procurement and/or human resources department need additional resources to screen contractors and other partners adequately.  If the CISO relies on a cost center such as the CTO or CIO to present the case to the executive team for additional funding, the message may diminish in translation, and the CIO or CTO may perceive higher priorities within the department. Providing the CISO with a seat at the table in executive team meetings will not only optimize spending decisions but will also improve collaboration and improve security and risk awareness among the executive team.

• The role of the CISO is becoming a Regulatory Requirement

The Ponemon Institute has listed “Appointment of a CISO” as one of the factors to mitigate the cost of a data breach for several years.   Not surprisingly, regulators are beginning to require the appointment of a CISO as a compliance requirement. For example, the New York Department of Financial Services mandates “a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”)” be appointed” for each entity covered by the regulation.  Furthermore, the CISO is required to provide an annual written report to board of directors or equivalent governing body on the cybersecurity program and material cybersecurity risks.  Although the New York regulation requires an Annual report to the board, the CEO should receive regular and recurring status on the cybersecurity risks for the company. In light of the additional focus on security and data privacy generated by public outcry, similar requirements may permeate to other jurisdictions in the form of similar regulations.

• The role of the CISO includes some Individual Professional Liability

As referenced above, audits of corporate security and data privacy programs require the individual responsible for the governance of the program be qualified for the role and maintain his or her skills through continuing education.  This control is often addressed through requiring industry recognized certifications with continuing professional education (CPE) mandates, a code of ethics and a duty to the profession as a condition of certification in the job descriptions for these roles.  Loss of a professional accreditation such as a CISSP, CISM, CISA, CRISC or C|CISO in the case of a CISO or a CIPP or CIPM in the case of a DPO are potential risks to be considered when considering a role within an organization. Both CISOs and DPOs are likely to request Director’s and Officer’s (“D&O”) Insurance / Professional Liability Coverage under the corporate policy as a condition of employment.

Under GDPR, regulatory fines for a company can reach 4% of annual turnover or 20 million EUR for a privacy breach.  Some privacy professionals view the regulation as a “stacked deck” mechanism for funneling revenues to the EU from US companies.  Impacted companies are presumed guilty under the regulation’s “Accountability Principle” and requirement to demonstrate compliance with “Security by Design” and “Security by Default.”

If that assessment is accurate, lawsuits against both companies and the officers responsible for the security and privacy program issues are likely.  Companies need to be wary of potential criminal prosecution risk associated with mishandling of protected information.  CISOs who have their professional credentials provided to regulators, government agencies and customers as evidence of their qualifications will be reluctant to have their communications filtered through another corporate officer, especially if recommendations are not implemented because of other risks.  If an independent or fractional CISO is required to carry professional liability insurance to cover regulatory fines on that scale, the premiums for that level of coverage make the costs for their services exorbitant, and the company will still need to cover their own liability insurance premiums. In-house CISOs covered under the company’s liability policy makes more fiscal sense for regulated industries to avoid paying twice for the same coverage.   Previously unregulated companies are finding themselves within the material and territorial scope of GDPR and are being introduced to compliance requirements and fines, and they are only beginning to understand the impact to their organizations.

Summary

Experienced CISOs with an appreciation for the concept of enterprise risk are venturing out to form their own advisory practices in the booming “Gig Economy” where they can choose their own clients, travel schedule, industry and risk tolerance.  If nothing changes, the trend towards “freelancing” is expected to continue. With full control over pricing and insurance for “gigs,” these freelancers are able to set their own rates commensurate with the risk associated with the opportunity. According to NASDAQ.com, 34% of the total workforce, nearly 53 million Americans were freelancers, and this number is expected to increase to 43% by 2020.  The irony is that the growth of the Gig Economy is only increasing the challenges for the CISOs who remain in corporate America. Managing risks associated with contractors increases in complexity as the number of third parties engaged by an organization increases, so a critical mass is building.   

The problem with the independent consulting option is that many CISOs really do WANT to be a part of a leadership team and would choose that option if offered to them.  These executives rely on teamwork to make the program successful and being an outsider who may or may not be able to use the name of their client as a reference diminishes the personal fulfillment and recognition in a job well done.  Creating a direct reporting relationship between the CEO and the CISO is one of the best ways to demonstrate management’s commitment to the security program, save insurance costs and increase efficiency of the security and data privacy programs.  With improved visibility to enterprise risks, CEOs can be assured their teams are working on the right problems and the security prowess of their leadership team expands through increased exposure to and collaboration with the CISO.