BreachExchange mailing list archives
Does Your Company Need a CISO?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 22 Sep 2014 18:56:02 -0600
http://www.lawtechnologynews.com/latest-news/id=1202670850859/Does-Your-Company-Need-a-CISO?mcode=1395244994797&curindex=0&slreturn=20140822155445 The burgeoning cybersecurity industry already has produced a veritable alphabet soup of job titles, credentials and certifications. Although some healthy skepticism may be warranted regarding this proliferation of acronyms and abbreviations, the reality of the urgent need for qualified corporate leaders in positions of authority and responsibility is beyond dispute. As Luis Aguilar, a commissioner on the U.S. Securities & Exchange Commission, commented in a recent speech, even the most sophisticated data security system is “a bible without a preacher if there is no one at the company who is able to translate its concepts into action plans.” Boards of Directors, Corporate Governance and Cyber-Risk: Sharpening the Focus, Commissioner Luis A. Aguilar, June 10, 2014. For many public companies, that leader should be a Chief Information Security Officer, whose sole responsibility is data security and who reports regularly to the board of directors or a committee of the board. A CISO will help the board to exercise informed business judgment in evaluating the adequacy of the company’s data security, serve as a spokesman for the company with regulators, shareholders, and other constituencies—and in litigation greatly simplify the company’s narrative of its efforts to develop and implement appropriate data security. By now, public companies are clearly on notice that the SEC considers corporate data breaches as a serious potential threat to investors and to the integrity of the financial markets. In 2011, the SEC issued voluntary guidance advising reporting companies of the need to disclose security breaches and to consider cybersecurity vulnerabilities when disclosing risk factors. The SEC has since named data security as one of its examination priorities for 2014 and this year announced that the Office of Compliance Inspections and Examinations would conduct cybersecurity risk assessment inspections of more than 50 broker-dealers and investment advisors. While the program has not yet been expanded to include public companies, the OCIE has made clear that it will look closely at who within a company is responsible for data security, and specifically, whether the company’s executive team includes a CISO. For some companies, a CIO may also be entrusted with responsibility for cybersecurity. However, there are significant benefits for separating these functions. The emergence of the CIO role predates the cybersecurity crisis and reflects a very different historical mission. A CIO’s primary mandate typically has been maximizing business efficiency and productivity by reducing cost and enhancing connectivity and accessibility for the company’s information management systems. These goals may often be at odds with the requirements of data security. To put the issue bluntly, CIO’s have driven many of the same changes in corporate information management systems that have placed data security at greatest risk. Even where a CIO’s independent judgment on data security issues is not compromised by her longevity with the company, the CIO’s business mission and performance goals could be viewed as compromising her commitment to data security. Separating the CIO and CISO functions may enhance management’s ability to evaluate data management alternatives by ensuring a vigorous debate between two C-level champions, thereby ensuring the board receives a balanced assessment of the company’s productivity and data security needs. In addition to enhancing corporate risk management, a CISO may also strengthen the board’s defenses when faced with a shareholder derivative suit arising from a data breach. In the current environment, cybersecurity obviously has an important place on the board of director’s risk oversight agenda, yet the details of cybersecurity also clearly exceed both the board’s available time and technical competence. By delegating responsibility for oversight of cybersecurity to a single officer who reports regularly to the board or a board committee, the board maximizes its protection from liability under the business judgment rule.The law of Delaware and almost all other states provide that directors are shielded from liability when they have proceeded in informed, good faith reliance on the analysis and reports of the corporation’s officers who have appropriate training and experience for their positions. The key to successfully using the business judgment rule as a defense is demonstrating the steps by which the directors actually considered and reached an informed decision. Appointing a qualified CISO with a clear mandate from the board can be Exhibit A for the defense in a shareholder derivative suit. Of course, to provide effective assistance to the board in the exercise of its business judgment, the CISO must be more than mere window dressing. The court will expect to see evidence that the board actually exercised informed judgment through regular briefings on cybersecurity issues. By having one C-level officer who is primarily responsible for assisting the board on cybersecurity and whose sole function is cybersecurity, the task of documenting the basis and process for the board’s risk management oversight is greatly simplified. Independent Judgment When appointing a CISO, the board should consider how best to ensure the CISO’s ability to exercise independent professional judgment. A common refrain in shareholder derivative litigation is that management sacrificed appropriate risk management in order to maximize short term profitability and reap quick rewards under stock option and other incentive plans. The CISO’s compensation plan and performance metrics should be consistent with her or his corporate mission. If there is a downside to creating a CISO position, it is the risk that the unfortunate executive in this position could become a mere scapegoat-for-hire to be sacrificed for the protection of others in the event of a breach. A CISO who lacks the cooperation of the rest of the executive team may actually do more harm than good, at least from a litigation perspective, because his tenure will generate a string of internal communications documenting the company’s failure to respond adequately to known risks. The board must communicate forcefully to the entire C-suite that cybersecurity is a real issue that the board takes seriously as essential for the corporation’s long term viability. To be successful, the CISO needs the cooperation of the entire senior management team, and ensuring this cooperation may require a reminder from the board that the fallout from a major breach will extend beyond the CISO.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Does Your Company Need a CISO? Audrey McNeil (Sep 26)