[BreachExchange] 'Golden bullet' clauses protect CISOs after a breach

[Destry Winant]

https://www.ciodive.com/news/golden-bullet-clauses-protect-cisos-after-a-breach/567313/

Golden parachute clauses allow exiting executives to land on their feet.

Adam Neumann, the former CEO of WeWork, strapped on his golden
parachute to walk away with $1.7 billion in stock, cash and credit.

That was Neumann's choice. Security executives might not have that luxury.

A golden parachute financially insulates an executive during a C-suite
departure. With the possibility of breaches always hanging over the
heads of CISOs, golden bullet clauses financially protect them from
the fallout after an incident, according to Stuart Mitchell, head of
information and cybersecurity recruitment at Stott and May, in an
interview with CIO Dive.

Golden bullets won't entirely shield an executive from public
scrutiny, but can alleviate the burden of blame. And if the fear of a
termination becomes reality, a golden bullet clause would act as a
bonus paid to CISOs leaving after a breach.

"Every time there's a high profile breach, business needs a fall guy,"
said Mitchell. If it's a high-profile business, "you get fired and
[dragged] through the mud pretty publicly."

A golden bullet can cushion that dragging.

Neumann might have tarnished his reputation, but his golden parachute
gave him a "pretty gentle landing" financially, said Mitchell, a
luxury CISOs aren't always afforded.

Nearly one-third of CISOs suspect they would lose their job or receive
"an official warning" due to a data breach, according to a Nominet
survey of more than 400 CISOs.

If a CISO has a healthy budget and a fully-staffed security
organization, then a CISO had all the resources necessary for solid
protection. Directing blame on the CISO, in that case, would be
justified. However, those circumstances are almost never a given.

Only 60% of CISOs think their CEO or president agrees with the
certainty of a future breach, according to Nominet. Non-IT leadership
can get wrapped up in liability defenses instead of pursuing security
best practices or investments, which puts more pressure on CISOs to
deliver with minimal resources.

Pay the price

It's easy for companies to scapegoat their CISO following a breach.
These executives are in charge of maintaining a safe and sound
network. But everyone in security knows cyber events are a matter of
if, not when.

In Q3 2019 alone, there were more than 5,100 reported breaches,
exposing 7.9 billion records, according to Risk Based Security
research. By comparison, 2011 ended with just over 1,300 reported
breaches and about 420 million impacted records in total.

Capital One's breach was reported in July, making it one of the six
breaches compromising 100 million or more records between July 1 and
Sept. 30 this year.

Even when breaches are inevitable, professionals still step into the
"thankless job," said Mitchell. Unlike other C-suite members, like a
CTO who becomes a "hero" when releasing a new product line, CISOs are
"never really the hero, but people know when you miss."

"You can definitely be a villain," Mitchell said.

Senior leadership is most concerned with the implications a breach
will have on their company's reputation, according to Risk Based
Security.

During and after a breach, the PR modus operandi is typically singling
out a fall guy — the CISO — despite the reality of circumstances, said
Mitchell. There are individual aspects of a security program in which
a CISO won't have direct oversight, yet they will still shoulder the
blame.

"That's why if you can't stand the heat, get out of the kitchen," Andy
Kim, CISO of Allstate's e-business, told CIO Dive.

Even with a tough exterior, there's plenty of mental health aspects
that are dealt with in the CISO job, according to Mitchell.

The majority of CISOs, 91%, say they have moderate or high stress
levels, according to Nominet. About 17% of CISOs rely on medication or
alcohol to mitigate their stress.

"I know plenty of people that like the second in command job of being
a deputy CISO or VP because sometimes it's more fun to be the prince
than be the king," said Mitchell. "You're allowed to turn your phone
off."

What's in a golden bullet

A golden bullet clause allows CISOs to consider their future and
what's in the best interest of the business.

Golden parachutes are often used to attract executives, though critics
warn they provide a moral incentive executives shouldn't need;
organizations should already act in the best interests of their
company without additional compensation.

The clause can also help protect a CISO's career.

"Ultimately you have to dust yourself off and humble yourself," said
Mitchell. "You're always going to be walking around with that skeleton
in your closet and you can't hide that information," especially from
Fortune 500 companies.

If a CISO leaves, they will likely have to rebrand themselves, hiring
personal brand managers to help. They can choose to leave with a
substantial salary to support them while they "get dragged through the
mud" until another public breach happens and people forget, said
Mitchell.

Companies benefit from the contract clause too. If there is a golden
bullet clause written into a CISO's contract, it more or less
guarantees a CISO's focus remains on a breach's recovery, as opposed
to looking for another job, according to Mitchell. "It also gives the
company an agreement that they are allowed to make the CISO the fall
guy."

This caveat helps alleviate criticism and concerns from investors and customers.

Today golden bullet-like clauses are usually "found in CISO
appointments that are titular in nature," said Kim. Some boards don't
know what qualities make an effective CISO and will appoint someone
they're familiar with as opposed to a security veteran.

"There are many uninformed board of directors members who don't know
how to select an effective CISO," said Kim. Fortune 100 companies
usually have boards like this, hiring "their friend or [someone who]
is a politically well-connected appointee."

But "a lot of that onus is on hiring and firing people and not
trusting the right people or the wrong people," said Mitchell. Trust
either falls between executive leadership and their CISO or the CISO
and the rest of their security organization.

The cybersecurity industry thrives off a workforce of diverse and
unlikely backgrounds. About 70% of qualified applicants hold a title
that isn't necessarily security-specific, according to research from
(ISC)².

CISOs "who know what they are doing aspire to this moment, when a
breach happens," said Kim. "Marginal CISOs will simply resign."

Falling on their sword

Cybersecurity success can only be measured by silence — no breaches,
no cyberattacks, no headlines.

A CISO's performance should be quantified by more than a singular
event, according to Greg van der Gaast, head of information security
at The University of Salford, in a LinkedIn post.

"I think a CISO should be measured by the improvements they bring, not
a point in time. Bad things can happen even when you’re heading in the
right direction," said van der Gaast.

Holding onto a publicly tarnished executive is a potential PR hazard.
Terminating CISOs is, in a way, PR damage control, despite the tenure
or experience of the executive.

Though removed CISOs have wounds to lick, their recovery career-wise
is possible. Uber's former CISO Joe Sullivan — who was blamed for
paying off hackers in a 2016 data breach — is now CISO of Cloudflare.

If a CISO performed their job to the best of their ability, without
any major faux pas, and a breach still occurs, companies have to ask
two questions, according to Mitchell:

Would the business be in a better position if they paid the CISO to
clean up the mess?
Or, should the business conduct interviews for a new CISO, taking
their eyes off the recovery?

Companies with very public breaches, including Home Depot, kept their
CISOs or CISO-equivalent onboard.

Home Depot adopted the CISO title when it hired Jamil Farschi, who was
later hired by Equifax. But Daniel Grider, VP of information
technology, who was in charge of security, still holds his role.

Other companies don't fare as well. Yahoo had three high-profile data
breaches between 2013 and 2016, before later disclosing their breach
impacted three billion Yahoo accounts. In that time frame,
particularly 2015, there was a revolving door of CISOs, though they
left on their own volition.

Within six months in 2015, Yahoo went through three CISOs: Alex
Stamos, Rames Martinez, and Bob Lord. Lord later left in 2018, and now
Chris Nims, CISO of parent company Verizon Media, has ownership of
Yahoo's troubled past.