[BreachExchange] CISO Accountability

Fri Nov 13 10:36:29 EST 2020

https://www.cshub.com/executive-decisions/articles/ciso-accountability

The Cyber Security Hub has showcased many thoughts on business
enablement. As stated, the CISO has gone from The Department of No to
the Department of Know, along the way transforming from a on prem
perimeter mindset to a user/data infinite perimeter mindset.The global
pandemic has enabled CISOs to fast forward cloud migration to cloud
evolution, thus evolving the entirety of cyber security for the
enterprise.

As the function and deliverables have changed dramatically in the past
year, some things do remain constant for top cyber security
executives. Among those aspects of consistency is taking
accountability for the cyber security of the organization.

Joe Sullivan, Former CISO, Uber has been charged with obstruction of
justice and misrepresentation of a felony by the FBI/DOJ due to
allegedly deliberately covering-up the exposure of PII of
half-a-million people and positioning the subsequent ransom paid as an
ethical/white hat/bug bounty.

With that background, we asked the Cyber Security Hub community their
thoughts on CISO accountability. To a person, all agreed that
misrepresentation of a breach and misrepresentation of a ransom paid
are inexcusable acts.

When asked about accountability, nearly every executive noted that
CISO accountability is to the board. Some executives noted that baring
negligence or malfeasance, accountability should be shared. And of
course there are now new regulations- along with standing regulations
for highly-regulated industries- in place which would preclude a
multi-year cover-up from happening.

Most executives pointed to communication being the key. A CISO should
be consistently communicating the acute risk to the enterprise posed
by the current mindset, processes, policy and technology stack of the
organization. When that information is communicated, accountability to
the board is accomplished. From there, if a breach of impact- with an
associated ransom- were to occur, there would be shared
accountability.

Shared communication and accountability is then followed-up by a
technology tour. Reviewing the stack at a high-level- ensuring that
the Board realizes the evolution of risk mitigation along with the
evolution of technology investment. And with a true technology
evolution upon the industry, laying out the risk assumed when not
making specific investments moving forward. The 2021 corporate
enterprise infinite perimeter is completely different from the
on-prem-focused perimeter of 2019. To not acknowledge that fact could
be considered malfeasance in and of itself.

That does offer the opportunity- with deft negotiation, to continue to
reinvent the systems of 2019 into the systems needed in 2021 and 2022.
Defense in depth is a wonderful philosophy until faced with stacks of
unnecessarily redundant tools and mountains of technical debt. Through
that deft negotiation, discover what can be cut so that next
generation technology can be added.

CISO accountability is about doing the right thing. But it’s also
about gaining the actual budget needed to do the job and secure the
enterprise in this brave new world.