Skip to content

Open Source Praxen Brings Agent Behavior Verification to AI Agents and Digital Workers — Read the News

CISO Liability and Lawsuits in the Face of a Crisis, Part 2

  • Dec 29, 2020
  • Gorka Sadowski
  • 4 minutes to read

Table of Contents

    Let’s continue our last post (CISO Liability and Lawsuits in the Face of a Crisis, Part 1) where we left it.

    CISO role

    Being offered a CISO role can be perceived as a promotion, and very often it is. However, individuals must resist the temptation to sign the dotted line and take on that responsibility until they understand that their personal liability could be engaged if something really bad happens in the organization. They must feel comfortable assuming that CISO role, and know that they will have the opportunity to drive necessary programs and initiatives in the organization. With these factors in mind, the below steps can help any current or aspiring CISO as they step in their role.

    1. Research the organization before accepting the job

    Due diligence from an aspiring CISO starts with the candidate doing his or her homework before accepting the role. During the interview, CISOs should be determining how serious the company is about cybersecurity. Is the organization really committed to a strong security program, or merely looking for a potential scapegoat if/when a breach occurs? Insist on interviews with key members of the executive staff and the Board of Directors. If interviews with these stakeholders somehow cannot take place, this is already a bad sign. Likewise, if access to key documents such as current and future plans for security in the organizations is denied, this is another red flag because lawsuits and other legal discoveries will likely include them. Why is the organization looking for a CISO? Is this a new role, and if not, what happened with the prior CISO? Do not allow yourself to be a potential scapegoat.

    2. Validate the organization’s legal and regulatory requirements

    Map the organization’s vertical industry (e.g. finance, healthcare, government) landscape from a legislative and industry best practices standpoint, with your knowledge and understanding of that space. Do the protocols you have implemented align with applicable laws and industry standards? Does your organization have resources who have appropriate certifications — some examples in no particular order include Certified Information Security Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM)? Beyond management and technical certifications, do these resources have experience implementing and maintaining such programs?

    3. Assume the incident already happened and the public will know soon

    According to Verizon’s 2020 Data Breach Investigations Report, adversaries were hiding in an organization’s network for months in over 25% of breaches. Because of dwell time and advanced persistent attacks, CISOs need to assume the adversary is already inside. Do you have, or can you put a robust intrusion detection and response program in place?

    4. Understand that a breach can be discovered on day one of the new position

    CISOs need to be prepared for a breach discovery at any moment, including at the start of their tenure at an organization. The defense of, “It’s not my fault as I just started this position,” may not fly in the eyes of customers and stakeholders in the event of a breach. Even if a CISO just started, they will need to represent the organization to customers and stakeholders. CISOs will need to be ready to own the decisions the organization has made in the past 10 years and assume the consequences of those decisions. Do you feel comfortable “owning” that spot?

    5. Establish a plan for a data breach as soon as possible

    One of the first steps a new CISO should take is to establish a clear plan for the organization in the event of a breach ASAP. CISOs should drive the incident response process and assign ownership to relevant stakeholders. Then, they should test it. Define recovery approach and include post-breach communication expectations. Business needs to be back online as quickly and efficiently as possible, but not at the expense of shortcuts that the CISO may regret later.

    6. Have allies within the organization

    Be an enabler to the business — don’t systematically refuse any risk, but rather help the organizational leadership understand these risks and balance them with programs and investments. Of course you need to get along with “IT,” but you also need to pay particular attention to the legal team and the sales organizations, as they need to be your friends for you to be successful as CISO.

    7. Communicate, communicate and over-communicate. Do you have it in writing?

    This point speaks for itself. Communication on preventative and responsive breach actions should ideally be in writing so there is a clear audit trail to avoid any “he said/she said.” Never accept a verbal mandate that doesn’t pass your “smell test.” Get it in writing, and make sure that there are no ambiguities in the ask.

    8. Ask for resources, in writing

    CISOs should ask for resources to constantly improve the organization’s security posture and state of IT. Even if the company refuses and de-prioritizes security and IT funding compared to other expenses, the documented ask could prevent a CISO from being held accountable in a breach. The documentation must also show that both the CISO and the organization have taken a risk management approach, balancing the need to run the business with the security risks.

    The cost of security failures

    The cost of security failures is more than being a headline. Large breaches can take years to clean up and settle in court. By getting ahead of the breach, understanding the level of due diligence and having a defensible approach, incorporating some basic common-sense steps, plus getting leadership on board with cybersecurity, CISOs and their security teams are helping avoid termination… or worse.

    (Special thanks to our own Steve Moore, host of “The New CISO podcast” at Exabeam, and Legal Counsel Michael Bartz for their contribution to this post.)

    Gorka Sadowski

    Gorka Sadowski

    Chief Strategy Officer | Exabeam | Gorka Sadowski is Chief Strategy Officer at Exabeam. In his role, Gorka assists the executive team and functional leaders across the company with developing, communicating, executing, and sustaining corporate strategic initiatives. Gorka has more than 30 years of security experience spanning leadership roles across product management, sales, marketing, and operations. Most recently, he was senior director and security and risk management analyst at Gartner driving coverage for security information and event management (SIEM), security operation center (SOC), and managed detection and response (MDR), while also leading research for IT leaders on emerging topics. Prior to Gartner, he led business development at Splunk where he established and built the Splunk security ecosystem. Prior to Splunk, he established presence for LogLogic in Southern Europe, ran security activities for Unisys in France and launched the first partner-led intrusion detection and prevention system (IDPS) in the industry as lead for NetScreen’s Emerging Technology efforts. A certified CISSP, he received a computer science degree from Universite de Pau in France before moving to the U.S. as a Ph.D. candidate in network security at the University of Miami.

    More posts by Gorka Sadowski

    Learn More About Exabeam

    Learn about the Exabeam platform and expand your knowledge of information security with our collection of white papers, podcasts, webinars, and more.

    • Blog

      Why Low-And-Slow Attacks Look Normal

    • White Paper

      Modernizing the CERT Insider Threat Framework for the Agentic Enterprise

    • Podcast

      CISO 3.0: The Playbook for Delivering Impact and Influence

    • Blog

      Why Short Correlation Windows Miss Insider Risk

    • Blog

      Why Insider Threats Don’t Trigger Alerts

    • Data Sheet

      Behavior Intelligence for the Agentic Enterprise

    • Show More