You may or may not have heard of SolarWinds. Even if you know who they are and know about the security issue that hit them last year, you may or may not have heard of their CISO. Well, TLDR: the SEC is planning to take action against the SolarWinds CISO. Why? Well, the SEC alleges that SolarWinds' public statements about its cybersecurity were "at odds with its internal assessments". Put simply, the SEC alleges SolarWinds knew it had material cyber security problems but didn’t report them to the SEC or investors as they should have.
There is a lot we don’t know here. However, one thing is for certain – there is an increasing focus on the role of the CISO from regulators. This is tough – being a CISO is a tough enough job in the first place. Why? Well, as well as being a newish role (that few really understand yet), there are a few common characteristics of CISO you should take note of:
1. The CISO no one will listen to.
This CISO is competent, knowledgeable, and experienced. However, whatever they say, internally no one listens. The IT team has other priorities and doesn’t believe in a ‘second line of defence’ anyway. The Board hired a CISO to make this problem (cyber security) go away, and don’t want to be bothered with petty requests for money, direction, or resources. Nothing has gone wrong recently, so the organisation must be doing something right. Surely?
This CISO is often characterised by a small/non-existent team and a slight hunch in their shoulders.
The solution: know when to walk away. Oh, and keep records.
2. The chicken little CISO.
This CISO is competent, knowledgeable, and experienced. Every issue leads to the end of the world, though. Out of date firmware? Could lead to entire IP being disclosed publicly. Firewall rule to an ‘any’ source? Undoubtedly the systems will become a host for an organised crime ring. In fact, there are so many catastrophic issues, it’s a surprise the business is still operating.
This CISO is often characterised by a love of new technologies and strong relationships with expensive service providers.
The solution: Agree consistent risk parameters and agree minimum standards.
3. The CISO provided by IT.
Either they report to your IT team or are provided by your IT service provider. After all, Cyber security is all about IT, right?
This CISO is often characterised by a focus on technical elements and making blanket statements like ‘our business risk is low because we have firewalls/EDR (or other specific technology)’
The solution: Agree risk parameters and get a second pair of eyes.
The solutions
I have been all of the above over the years and have learned a huge amount. From this, I have five main solutions:
1. Agree consistent risk parameters and use them.
Agree what risk looks like with the Board. Report this to the Board. This gives a framework outside of security to keep you proportionate and honest. There’s no one way to do this, but it’s their risk (not yours) so you need to be able to communicate in terms they understand. Plus, it gets the Board to commit.
2. Get a second pair of eyes, just for you.
We’re all perfect, right? Well, time to learn some humility. Getting a second experienced pair of eyes to look over what you’re doing can help make sure you aren’t underplaying/overplaying/missing things. We all need an independent helping hand sometimes. I’d suggest you commission it, though, as it’s better done with you than to you. There are enough audits already, right?
3. Keep records.
Reports you write. Meetings. Minutes. Issues you escalate and risk assessments. Keep a record of it all. You might get something wrong (we do) but you’ll more often than not get things right, I’m sure.
4. Agree minimum standards.
How do you secure a given technology? Agree to parameters and steps. Communicate this to the IT team and communicate the existence and importance of these standards to the Board. Sometimes, it’s enough to say ‘this is outside standard’ rather than argue about specific risks to corporate strategy. Some things just need to be done, and you shouldn’t have to justify that.
5. Know when to walk away.
This is tough. We all want to work, and we all want to do a good job. However, sometimes, no matter what you do, it doesn’t work. Perhaps your personality doesn’t fit. Perhaps the approach isn’t working. If you can’t change it, for your own peace of mind and reputation, you have to walk away with a smile and a handshake.