[BreachExchange] After a breach, CISOs fall on their swords or play the role of scapegoat

[Destry Winant]

https://www.ciodive.com/news/after-a-breach-cisos-fall-on-their-swords-or-play-the-role-of-scapegoat/549683/

The aftermath of a data breach makes those with "security" in their
title the most convenient scapegoat.

Securing an organization against cyberthreats is not a one-person job,
especially when distributed security is gaining traction and the
underlying circumstances of a breach don't necessarily mean the CISO
alone is to blame.

Chief information security officers are tempting sacrifices in the
event of a data breach. However, "in the midst of chaos, you need
somebody and typically you want your CISO," said said Chris Nims, CISO
of Verizon Media, in an interview with CIO Dive.

Still, there's no surprise that a C-suite overhaul is common after a
massive data breach, think Equifax, Uber, and Yahoo. But in the grand
scheme, less than 1% of CISOs are actually fired, though 12% believe
they would be dismissed because of a breach, according to a 2015 IDC
report.

Consequently, CISOs feel more compelled to fall on their sword after a breach.

"Where I've personally seen CISOs move out post-incident, it's
typically because of the individual," said Nims. "You may not know,
until there's a significant security incident, whether or not the
leader is going to be successful if he or she has never navigated that
kind of storm before."

Securing an organization against cyberthreats is not a one-person job,
especially when distributed security is gaining traction and the
underlying circumstances of a breach don't necessarily mean the CISO
alone is to blame.



Sometimes it's easier for companies to let go of security
professionals to make a show of accountability to the public,
customers or clients. The scapegoat title isn't always fit for a CISO
when the extent of the breach, the exploited vulnerability and the
aftermath are taken into consideration.

What's in a name?

The attractiveness of the CISO title or a security title that's
proceeded by "chief" can have less to do with responsibility and more
to do with vanity.

"We like to be nice to each other and make each other feel good to
have someone with an actual title of CISO," Pete Lindstrom, VP of
research, Enterprise/NextGen Security at IDC, told CIO Dive.

Not having the CISO title for a role with similar responsibilities is
not really a unique concept, according to Lindstrom. "These titles
come and go," he said, and there is a "mixed bag of industry and
personality" that pull the strings between CISO, CSO, CIO or chief
risk officer.

The CISO title is popping up partially because of what it signals to
the public, potential hires, partners and insurers. Companies are
weaving security into contracts and interactions.

Target hired Brad Maiorino as the first CISO in company history in
2014 after its 2013 data breach. Maiorino reported to then-CIO Bob
DeRodes, who was also brought on after CIO Beth Jacob's resignation in
March 2014. Shortly after, the chief executive of Target, Gregg W.
Steinhafel, resigned in May 2014.

As data has always been touted as an intangible yet invaluable company
asset, its protection is just as important. Companies without a formal
head of security can be scrutinized for a lacking formal approach to
cybersecurity.

"I'm sure there are companies with someone without a particular title
[who] may feel they aren't as effective as they could be," said Nims.
However, "I dont think there's a silver bullet answer to that, I
really think it boils down to a particular company's culture."

A seat at the table

A security leader with the chief label likely entitles the individual
to more compensation, the assumption of security ownership and greater
access to the CEO, most importantly.

If a security leader is "buried" and "a couple layers down," a company
isn't "putting the right level of focus on security as [it] should
be," said Taryn Aguas, leader of the CISO transformation labs program
for Deloitte Cyber Risk Services, in an interview with CIO Dive. The
CISO title "is certainly appealing for talent" but is second to the
role itself and its level of authority.

Regardless of titles, security leaders need to effectively communicate
strategy and priorities across nontechnical leadership.

"I enjoy working with leaders who understand that even though my
security priorities might create tension with their innovation or
revenue generation priorities, my work is also important, we are all
in this together, and we will through creative tension together steer
the company in the right direction," Joe Sullivan, CSO of Cloudflare,
and former CSO of Uber and Facebook, told CIO Dive in an email.

CISOs have to be able to provide the nontechnical C-suite members the
context of security and where the CISO role ideally fits.

"I suspect I was not the best partner myself when I first stepped into
leadership, because it took me time to shift my perspective from being
a leader of a team to being a leader of the company," said Sullivan.

"I enjoy working with leaders who understand that even though my
security priorities might create tension with their innovation or
revenue generation priorities, my work is also important, we are all
in this together ..."



Joe Sullivan

CSO, Cloudflare

The rideshare company's former CEO Travis Kalanick accumulated a trail
of scandals before his exit in June 2017 and Sullivan followed in
November of the same year following the disclosure of a data breach
impacting 57 million users. Uber's security leadership used funds
related to its bug bounty program to pay the intruders $100,000 to
delete the data.

Having a direct line of access to the CEO takes the guesswork out of
security in terms of business strategy. Without a seat at the table,
Sullivan said he had to "dig to figure out which risk areas could be
addressed quickly and which needed to be worked through
collaboratively."

This is a slow evolution for companies that are used to viewing their
security organizations as a cost center and compliance function.

The aftermath of a data breach tests a C-suite's ability to handle
what this means for reputation and recovery. "I would say modern
companies look at security leaders, the CISO role, as a significant
asset and as a leader that's actually going to help you navigate that
storm," said Nims.

For Nims, the brand portfolio that sits under the Verizon Media
umbrella attracts a multitude of potential adversaries. When he came
in as CISO and inherited the breached legacy Yahoo now carries, Nims
had to create a cohesive security strategy.

Nims didn't treat it any differently from other M&A activity. "It was
definitely not a transition that was focused on 'here's this big thing
that happened and everything is focused on that,' " said Nims.
"Certainly, absolutely appropriate attention, given to various items
that resulted from [the breach]."

Input from historical cyber events of course shaped the agenda for
what Nims needed to do from a program perspective and what needs to be
built.

Who owns responsibility

There is complexity involved in cybersecurity, though the public
routinely assumes a breach was the result of negligence.

There "really [needs to be] a better way to assess negligence because
there's no legitimate security professional out there that will say
you can be 100% secure," Lindstrom.

Breaches often occur as a result of something outside the direct
control of a CISO. Updating systems or administering software patches,
for example, is a responsibility of IT operations whereas the CISO is
in charge of prioritizing patches.

"I would say modern companies look at security leaders, the CISO role,
as a significant asset and as a leader that's actually going to help
you navigate that storm."



Chris Nims

CISO, Verizon Media

Actual security patching is not done by the security team, said Todd
Inskeep, principal and director at Booz Allen Hamilton, in an
interview with CIO Dive.

This is one of the places the intersection of a CIO and CISO is vital
for companywide security. Former Equifax CIO Graeme Payne testified to
Congress that the credit firm's aggressive growth strategy contributed
to a foggy representation of its IT systems.

The U.S. House of Representatives Committee on Oversight and
Government Reform concluded that Equifax's breach was avoidable if
patches were implemented accordingly.

Payne testified the company still relied on an internet-facing
Automated Consumer Interview System environment from the 1970s to 2017
and feared a retiring workforce would edge out those with knowledge of
operating legacy systems.

Former CEO Richard Smith's aggressive acquisition activity contributed
to the Equifax IT organization's inability to keep a reliable
inventory of what software resided on the legacy systems, according to
Payne. Smith's market growth strategy added to the firm's complex
layers of applications, databases, middleware and operating system.

Equifax's breach was caused by its technical, and therefore security,
strategy taking a backseat to its general business strategy. The
breach was a result of "human error and technology failures," said
Smith, during his Congressional hearing. The mistakes were "made in
the same chain of security systems designed with redundancies."

Without a reliable inventory of system identification, which is a part
of the NIST cybersecurity framework, Equifax's former CSO, Susan
Mauldin, CIO and CEO were doomed.

Even without a living inventory, "a good CISO and IT team can create
architectures to protect legacy systems, network segregation and
network mechanisms to isolate" and defend the company, said Inskeep. A
reliable architecture would allow a CISO to effectively manage
updating, patching and other vulnerability management activities.

In February 2018, Equifax named Jamil Farshchi its CISO after he
cleaned up Home Depot's data breach as CISO.

In 2014, Home Depot had a data breach of more than 50 million
customers. The breach ultimately cost the do-it-yourself retailer a
minimum of $19.5 million to settle customer lawsuits.

In between the time of the breach and the settlement, Home Depot hired
its first CISO, Farshchi. Before introducing the CISO title, Daniel
Grider, VP of information technology at Home Depot, oversaw security.
Grider is still with the home improvement retailer.

As time progresses, the question may become less around what the lead
security role is, especially when Silicon Valley is dabbling in
distributed responsibilities. Instead, companies should ask what are
the functional requirements for a world class security program and how
it will be reinforced across company lines, according to Lindstrom.