The CISO’s Job

Last week the Security and Exchange Commission (SEC) charged the Chief Information Security Officer (CISO) of SolarWinds with crimes related to the company’s data breach in 2020.

These are serious charges, the SolarWinds CISO is being charged with knowing that his company’s digital assets were not secure and not addressing those threats or publicly disclosing them to investors. He also sold company stock while allegedly not disclosing facts he knew that would (and ultimately did) negatively impact the stock price.

Several industry analysts have noted that it’s surprising that other members of the corporate leadership team, specifically the CEO and COO, were not charged. I agree that they bear responsibility if this turns out to be a case of intentional corporate fraud. I hope and expect that the CEO and COO will ultimately be charged as part of the ongoing investigation.

There has also been a lot of commentary saying that the CISO should not be held responsible for the cybersecurity gaps at SolarWinds because the CEO and COO set the security budget. Without an adequate budget, the reasoning goes, the CISO’s hands are tied. Such commentary completely misunderstands the job of the CISO.

The CISO has ultimate responsibility for information security, full stop. It’s right there in the job title. The buck stops at the CISO’s desk. And it’s more than a technical job. You can’t just demand that the company replace their firewall and then head off to tech conferences to eat rubber chicken and pontificate. There is a political aspect as well. Soft skills, as we call them in the tech field.

The CISO is responsible for making sure that the proper controls are in place to protect corporate data, and also for making sure that there is proper funding for those security controls. The CISO needs to make the rest of the C-suite and the board of directors understand the threats the company faces and to take them seriously. Securing information assets has an impact on the company’s finances and reputation. The CISO needs to persuade and play internal political games to assure that the decision makers understand the importance of information security and are willing to prioritize it and fund it adequately.

As a CISO, if you’re not willing or able to play those political games, if you’re unable to persuade the folks who control the money, you need to either find a new company to work for or find a new line of work.

I’ve also seen arguments that the SEC’s action will cause CISOs to leave their jobs or make them primarily concerned with covering their butt. If this case makes it clear who should and should not be a CISO, that’s a good thing. If it makes clear that the CISO is a leadership position and attracts people to the position who are interested in leading, that’s a good thing too.

The job and the responsibilities of the CISO will ultimately be better defined by the SEC’s action. And that will benefit corporations across the country and all of the individuals whose data they possess.

Osage Orange

There are Osage orange trees growing alongside the bike trail near my home.

The Osage orange tree is native to North America. It produces a very hard wood that was used by the Osage Indians to make bows. The wood is also resistant to rot, which makes it good for fences and other outdoor structures.

In the fall the tree produces a fruit that’s about the size of your fist and the yellow-green color of a hi-viz safety vest. The fruit is wrinkled and bumpy, which has given it the popular name of “monkey brains.”

The flesh of the fruit is bitter and inedible. Inside the fruit is a milky white sap that irritates the skin. The seeds are edible and are supposed to taste like popcorn. Occasionally you’ll see a squirrel or deer chewing through the flesh of the fruit to get at the seeds, but the fruit mostly just rots where it falls from the tree. There isn’t any woodland critter that eats it.

It’s a puzzling evolutionary development, since the whole point of producing fruit is to have animals eat the fruit and disperse the seeds in their poop. Why would the Osage orange tree evolve fruit that nobody wants to eat?

The best guess is that the fruit was eaten by an animal that is now extinct, most likely the giant ground sloth or maybe the mastodon. Nobody told the tree that times had changed and it needed to up its fruit game, so it goes on as it always has.

You often hear the phrase “evolve or die,” so this would seem to be an evolutionary dead end for the Osage orange tree. But in a way you have to admire its determination. It spent a very long time developing the ideal fruit for its target audience and it’s happy with the results, thank you very much.