Does Your Company Need a CISO?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lawtechnologynews.com/latest-news/id=1202670850859/Does-Your-Company-Need-a-CISO?mcode=1395244994797&curindex=0&slreturn=20140822155445

The burgeoning cybersecurity industry already has produced a veritable
alphabet soup of job titles, credentials and certifications. Although some
healthy skepticism may be warranted regarding this proliferation of
acronyms and abbreviations, the reality of the urgent need for qualified
corporate leaders in positions of authority and responsibility is beyond
dispute.

 As Luis Aguilar, a commissioner on the U.S. Securities & Exchange
Commission, commented in a recent speech, even the most sophisticated data
security system is “a bible without a preacher if there is no one at the
company who is able to translate its concepts into action plans.” Boards of
Directors, Corporate Governance and Cyber-Risk: Sharpening the Focus,
Commissioner Luis A. Aguilar, June 10, 2014.

For many public companies, that leader should be a Chief Information
Security Officer, whose sole responsibility is data security and who
reports regularly to the board of directors or a committee of the board. A
CISO will help the board to exercise informed business judgment in
evaluating the adequacy of the company’s data security, serve as a
spokesman for the company with regulators, shareholders, and other
constituencies—and in litigation greatly simplify the company’s narrative
of its efforts to develop and implement appropriate data security.

By now, public companies are clearly on notice that the SEC considers
corporate data breaches as a serious potential threat to investors and to
the integrity of the financial markets. In 2011, the SEC issued voluntary
guidance advising reporting companies of the need to disclose security
breaches and to consider cybersecurity vulnerabilities when disclosing risk
factors.

The SEC has since named data security as one of its examination priorities
for 2014 and this year announced that the Office of Compliance Inspections
and Examinations would conduct cybersecurity risk assessment inspections of
more than 50 broker-dealers and investment advisors. While the program has
not yet been expanded to include public companies, the OCIE has made clear
that it will look closely at who within a company is responsible for data
security, and specifically, whether the company’s executive team includes a
CISO.

For some companies, a CIO may also be entrusted with responsibility for
cybersecurity. However, there are significant benefits for separating these
functions. The emergence of the CIO role predates the cybersecurity crisis
and reflects a very different historical mission. A CIO’s primary mandate
typically has been maximizing business efficiency and productivity by
reducing cost and enhancing connectivity and accessibility for the
company’s information management systems.

 These goals may often be at odds with the requirements of data security.
To put the issue bluntly, CIO’s have driven many of the same changes in
corporate information management systems that have placed data security at
greatest risk. Even where a CIO’s independent judgment on data security
issues is not compromised by her longevity with the company, the CIO’s
business mission and performance goals could be viewed as compromising her
commitment to data security.  Separating the CIO and CISO functions may
enhance management’s ability to evaluate data management alternatives by
ensuring a vigorous debate between two C-level champions, thereby ensuring
the board receives a balanced assessment of the company’s productivity and
data security needs.

In addition to enhancing corporate risk management, a CISO may also
strengthen the board’s defenses when faced with a shareholder derivative
suit arising from a data breach. In the current environment, cybersecurity
obviously has an important place on the board of director’s risk oversight
agenda, yet the details of cybersecurity also clearly exceed both the
board’s available time and technical competence. By delegating
responsibility for oversight of cybersecurity to a single officer who
reports regularly to the board or a board committee, the board maximizes
its protection from liability under the business judgment rule.The law of
Delaware and almost all other states provide that directors are shielded
from liability when they have proceeded in informed, good faith reliance on
the analysis and reports of the corporation’s officers who have appropriate
training and experience for their positions.

The key to successfully using the business judgment rule as a defense is
demonstrating the steps by which the directors actually considered and
reached an informed decision. Appointing a qualified CISO with a clear
mandate from the board can be Exhibit A for the defense in a shareholder
derivative suit.  Of course, to provide effective assistance to the board
in the exercise of its business judgment, the CISO must be more than mere
window dressing.  The court will expect to see evidence that the board
actually exercised informed judgment through regular briefings on
cybersecurity issues.  By having one C-level officer who is primarily
responsible for assisting the board on cybersecurity and whose sole
function is cybersecurity, the task of documenting the basis and process
for the board’s risk management oversight is greatly simplified.

Independent Judgment

When appointing a CISO, the board should consider how best to ensure the
CISO’s ability to exercise independent professional judgment.  A common
refrain in shareholder derivative litigation is that management sacrificed
appropriate risk management in order to maximize short term profitability
and reap quick rewards under stock option and other incentive plans. The
CISO’s compensation plan and performance metrics should be consistent with
her or his corporate mission.

If there is a downside to creating a CISO position, it is the risk that the
unfortunate executive in this position could become a mere
scapegoat-for-hire to be sacrificed for the protection of others in the
event of a breach.  A CISO who lacks the cooperation of the rest of the
executive team may actually do more harm than good, at least from a
litigation perspective, because his tenure will generate a string of
internal communications documenting the company’s failure to respond
adequately to known risks.  The board must communicate forcefully to the
entire C-suite that cybersecurity is a real issue that the board takes
seriously as essential for the corporation’s long term viability.  To be
successful, the CISO needs the cooperation of the entire senior management
team, and ensuring this cooperation may require a reminder from the board
that the fallout from a major breach will extend beyond the CISO.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!