CISO Liability and Lawsuits in the Face of a Crisis, Part 2

Let’s continue our last post (CISO Liability and Lawsuits in the Face of a Crisis, Part 1) where we left it.

Being offered a CISO role can be perceived as a promotion, and very often it is. However, individuals must resist the temptation to sign the dotted line and take on that responsibility until they understand that their personal liability could be engaged if something really bad happens in the organization. They must feel comfortable assuming that CISO role, and know that they will have the opportunity to drive necessary programs and initiatives in the organization. With these factors in mind, the below steps can help any current or aspiring CISO as they step in their role.

1. Research the organization before accepting the job. Due diligence from an aspiring CISO starts with the candidate doing his or her homework before accepting the role. During the interview, CISOs should be determining how serious the company is about cybersecurity. Is the organization really committed to a strong security program, or merely looking for a potential scapegoat if/when a breach occurs? Insist on interviews with key members of the executive staff and the Board of Directors. If interviews with these stakeholders somehow cannot take place, this is already a bad sign. Likewise, if access to key documents such as current and future plans for security in the organizations is denied, this is another red flag because lawsuits and other legal discoveries will likely include them. Why is the organization looking for a CISO? Is this a new role, and if not, what happened with the prior CISO? Do not allow yourself to be a potential scapegoat.
2. Validate the organization’s legal and regulatory requirements. Map the organization’s vertical industry (e.g. finance, healthcare, government) landscape from a legislative and industry best practices standpoint, with your knowledge and understanding of that space. Do the protocols you have implemented align with applicable laws and industry standards? Does your organization have resources who have appropriate certifications — some examples in no particular order include Certified Information Security Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM)? Beyond management and technical certifications, do these resources have experience implementing and maintaining such programs?
3. Assume the incident already happened and the public will know soon. According to Verizon’s 2020 Data Breach Investigations Report, adversaries were hiding in an organization’s network for months in over 25% of breaches. Because of dwell time and advanced persistent attacks, CISOs need to assume the adversary is already inside. Do you have, or can you put a robust intrusion detection and response program in place?
4. Understand that a breach can be discovered on day one of the new position. CISOs need to be prepared for a breach discovery at any moment, including at the start of their tenure at an organization. The defense of, “It’s not my fault as I just started this position,” may not fly in the eyes of customers and stakeholders in the event of a breach. Even if a CISO just started, they will need to represent the organization to customers and stakeholders. CISOs will need to be ready to own the decisions the organization has made in the past 10 years and assume the consequences of those decisions. Do you feel comfortable “owning” that spot?
5. Establish a plan for a data breach as soon as possible. One of the first steps a new CISO should take is to establish a clear plan for the organization in the event of a breach ASAP. CISOs should drive the incident response process and assign ownership to relevant stakeholders. Then, they should test it. Define recovery approach and include post-breach communication expectations. Business needs to be back online as quickly and efficiently as possible, but not at the expense of shortcuts that the CISO may regret later.
6. Have allies within the organization. Be an enabler to the business — don’t systematically refuse any risk, but rather help the organizational leadership understand these risks and balance them with programs and investments. Of course you need to get along with “IT,” but you also need to pay particular attention to the legal team and the sales organizations, as they need to be your friends for you to be successful as CISO.
7. Communicate, communicate and over-communicate. Do you have it in writing? This point speaks for itself. Communication on preventative and responsive breach actions should ideally be in writing so there is a clear audit trail to avoid any “he said/she said.” Never accept a verbal mandate that doesn’t pass your “smell test.” Get it in writing, and make sure that there are no ambiguities in the ask.
8. Ask for resources, in writing. CISOs should ask for resources to constantly improve the organization’s security posture and state of IT. Even if the company refuses and de-prioritizes security and IT funding compared to other expenses, the documented ask could prevent a CISO from being held accountable in a breach. The documentation must also show that both the CISO and the organization have taken a risk management approach, balancing the need to run the business with the security risks.

The cost of security failures is more than being a headline. Large breaches can take years to clean up and settle in court. By getting ahead of the breach, understanding the level of due diligence and having a defensible approach, incorporating some basic common-sense steps, plus getting leadership on board with cybersecurity, CISOs and their security teams are helping avoid termination… or worse.

(Special thanks to our own Steve Moore, host of “The New CISO podcast” at Exabeam, and Legal Counsel Michael Bartz for their contribution to this post.)

Editor’s note: This post was first published on Medium.com.