Would a Chief Information Security Officer (CISO) ever go to prison?
In a world where business-destroying cyber attacks happen daily, the question of who is to blame continually surfaces.
Is it the employee who clicks on the fluffy cat image that turns out to be ransomware? Or is it the CISO (Chief Information Security Officer) for not doing more to arm their workforce with the cyber intel needed to identify malicious mail?
With ransomware attacks skyrocketing and causing financial losses that can soar into the billions, the blame game is becoming a serious issue for businesses in the aftermath of attacks.
This is also raising the important question of whether a CISO should ever be legally penalised for a breach. And, at what stage those penalties should amount to a prison sentence.
This is a deeply controversial issue, and there is no definitive answer. Every case is different and courts of law are the ultimate decision makers. But as legal cases against organisations mount, it's a topic that can't be ignored.
So, what can CISOs do to lessen their chance of falling into a situation where prison is even a possibility?
CISOs in the Dock
The issue of CISOs being held liable first surfaced in the wake of the major cyber attack against Uber after Joe Sullivan, the company's former head of security, was accused of covering up a cyber attack in 2016.
Sullivan was found guilty following a payment of $100,000 to hackers after they gained access to 57 million customer records. The criminals were paid after they signed an NDA not to reveal the hack to anyone. The news, however, soon reached the media.
This resulted in Sullivan being tried in court, where he was sentenced to three years' probation and forced to pay $50,000. Sullivan avoided jail, but the case did attract mass media attention that raised the question of whether CISOs should ever face prison time in the wake of security breaches.
Federal judge for the Northern District of California, William Orrick, said to Sullivan, "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison. When you go out and talk to your friends, to your CISOs, you tell them that you got a break, not because of what you did, not even because of who you are, but because this was just such an unusual one-off."
Since this case, many more incidents have occurred, though to date, fortunately, no CISOs have been put behind bars. But this doesn't mean the issue isn't a huge concern for those in senior security positions. Furthermore, the threat only adds more stress to what is undoubtedly one of the most pressurised roles within the c-suite.
To say CISOs have a tough job is an understatement. Not only do they have any army of cyber criminals working determinedly to breach the organisations they are hired to secure, the terrain they are working to defend grows exponentially. Every employee is a potential risk, every corporate device is a gateway for attackers, and even the supposed "safety" of the cloud is never immune to attack.
So, how can CISOs tackle these challenges? In a weak position, where all the stakes are against them, how can CISOs secure themselves?
Securing the CISO
The first and most important issue to avoid is concealing a breach. CISOs should never follow in Joe Sullivan's footsteps because it will never do them, or the organisation they are working for, any good.
When breaches do occur, CISOs should disclose them according to the regulating requirements of the impacted countries, inform stakeholders and customers, and try to be as transparent as possible.
SolarWinds is another organisation feeling the backlash of breach concealment.
The organisation downplayed its 2020 security incident despite it now going down as one of the biggest attacks of all time. Lawsuits have followed and charges have been issued against both the organisation and CISO in the wake of the attack.
The organisations that receive the least negative backlash following a cyber attack are often the ones that opt for transparency rather than concealment, so CISOs should champion this philosophy.
As an extra layer of security for the CISO, it's also good to have clauses inserted into employment contracts which outline their requirements in the wake of a breach. This should include whether it is the CISO's responsibility to disclose a breach, plus who they must inform, or if disclosure is another role holder's responsibility, specifying exactly who that person is. The key is for the CISO to never be in a position where other executives can put pressure on them to cover up a security incident.
In addition, the CISO can also ask for clauses in their contract around legal cover in the wake of a security incident. They should never be held personally liable for an attack, so they should ask their employer to cover all legal requirements and expenses if a case is ever brought against them.
By following these practices, CISOs should be able to protect themselves following breaches, but it is also vital they take steps to prevent attacks occurring in the first place.
This means ensuring all employees receive regular security training, all systems and devices are continually tracked, monitored and secured, the security of suppliers and partners is continually assessed and never overlooked, MFA is adopted as standard across all digital assets and incident response planning is prioritised. CISOs should also communicate clearly on the cyber status of the organisation to other c-suite executives – always painting an accurate picture and communicating what budgets are needed to improve security.
When CISOs take these actions, they will significantly strengthen the security of their businesses and add an additional layer of protection around themselves. They will showcase that they truly are cyber champions while removing any concerns around potential prison sentences that could arise from future breaches.
