The CISO’s role has transformed over the years from a mid-level technical job focusing on network security and firewalls to a much more strategic and senior player in a company’s business.
Put that together with the surge in attacks and more intensive regulatory scrutiny, and we’ve all become more accountable when security breaches happen. That accountability extends not only to our organizations but to regulators, too. The Securities and Exchange Commission’s proposal to require company boards to include someone with cybersecurity expertise is a recognition of the greater priority that’s been ascribed to it. New York’s Department of Financial Services sets the expectation that the CISO be a “qualified” individual and that a member of the senior executive team (in addition to the CISO) also attest to the soundness of the cybersecurity program.
This increased visibility on the company and regulatory levels can translate into greater liability when things go wrong. So, it’s critical to understand how expectations of the CISO have changed and your potential exposure.
Now, more than ever, with the number of breaches growing and the role of the CISO expanding, there’s an expectation that we will be held to the level of C-suite executives. First and foremost, we’re expected to have an ethical compass because we often function in a very gray area, given that we may have the same skills as bad actors.
We must also understand our industry’s regulatory requirements and obligations, and share information and accountability with other business leaders. The CISO shouldn’t be the only individual to know something has gone wrong. Cybersecurity and Incident Response is a team sport that needs to engage with the senior executives and legal and communications teams.
CISOs may face disciplinary action within their organizations, including termination, for security lapses, but they also potentially have legal risks. Not only might your company face civil charges, but you might also even find yourself in jail if you’ve violated the law. If you’re in financial services and are dealing with people or organizations that are on a sanctions list, for instance, strict liability applies.
While CISOs going to jail is an edge case, it emphasizes the need for transparency and accountability. But in the more complicated regulatory environment we’re dealing in, CISOs need to understand their potential exposure.
Companies have an insurance policy known as D&O, or directors’ and officers’ liability insurance, that protects senior officers in some instances. Most CISOs probably are not covered by this insurance, but I would check if you are joining an organization. Understand at what level you fall within the organization, your actual roles and responsibilities, and what coverage you may have as an officer of the company. The description of the CISO’s role is a fluid one, and reporting structures aren’t uniform. If you’re truly a senior officer, you should be covered by D&O. Also, D&O insurance does not protect individuals if they are involved in criminal or grossly negligent acts.
There are other layers of coverage, like E&O or errors and omissions insurance, that a CISO may or may not be covered by. It’s a personal decision, of course, but if you feel that the role is described as being at the senior level, yet the adequate protections aren’t there, I wouldn’t take the job.
In the past, if a CISO messed up, they got fired. But now there are longer-living consequences. The average life expectancy of a CISO has been somewhere around two years. But you may find yourself being called back to account for a security-related event even after you leave because lawsuits take years to percolate.
So if your former organization is getting sued due to a security breach, you may be called to give testimony or be a witness. When you take a new job, you should ensure your contract stipulates that your company will cover those associated costs in the event they expect to recall you for certain circumstances.
While the CISO’s increased responsibilities present significant opportunities, they also present substantial challenges. Knowing how expectations have changed at the company and regulatory levels will give you greater protection and contribute to your success.