Last week the Security and Exchange Commission (SEC) charged the Chief Information Security Officer (CISO) of SolarWinds with crimes related to the company’s data breach in 2020.
These are serious charges, the SolarWinds CISO is being charged with knowing that his company’s digital assets were not secure and not addressing those threats or publicly disclosing them to investors. He also sold company stock while allegedly not disclosing facts he knew that would (and ultimately did) negatively impact the stock price.
Several industry analysts have noted that it’s surprising that other members of the corporate leadership team, specifically the CEO and COO, were not charged. I agree that they bear responsibility if this turns out to be a case of intentional corporate fraud. I hope and expect that the CEO and COO will ultimately be charged as part of the ongoing investigation.
There has also been a lot of commentary saying that the CISO should not be held responsible for the cybersecurity gaps at SolarWinds because the CEO and COO set the security budget. Without an adequate budget, the reasoning goes, the CISO’s hands are tied. Such commentary completely misunderstands the job of the CISO.
The CISO has ultimate responsibility for information security, full stop. It’s right there in the job title. The buck stops at the CISO’s desk. And it’s more than a technical job. You can’t just demand that the company replace their firewall and then head off to tech conferences to eat rubber chicken and pontificate. There is a political aspect as well. Soft skills, as we call them in the tech field.
The CISO is responsible for making sure that the proper controls are in place to protect corporate data, and also for making sure that there is proper funding for those security controls. The CISO needs to make the rest of the C-suite and the board of directors understand the threats the company faces and to take them seriously. Securing information assets has an impact on the company’s finances and reputation. The CISO needs to persuade and play internal political games to assure that the decision makers understand the importance of information security and are willing to prioritize it and fund it adequately.
As a CISO, if you’re not willing or able to play those political games, if you’re unable to persuade the folks who control the money, you need to either find a new company to work for or find a new line of work.
I’ve also seen arguments that the SEC’s action will cause CISOs to leave their jobs or make them primarily concerned with covering their butt. If this case makes it clear who should and should not be a CISO, that’s a good thing. If it makes clear that the CISO is a leadership position and attracts people to the position who are interested in leading, that’s a good thing too.
The job and the responsibilities of the CISO will ultimately be better defined by the SEC’s action. And that will benefit corporations across the country and all of the individuals whose data they possess.