Charges Against CISOs Create Worries, Hope in Security Industry: Survey – Source: securityboulevard.com

A U.S. District Court judge may have dismissed most of the federal charges brought against SolarWinds CISO Tim Brown, but the case and others like it continue to ripple through the industry.

A recent survey by anti-ransomware vendor BlackFog of IT security decision-makers in the United States and UK found that 70% felt that cases like Brown’s, where the CISO is held personally responsible for cybersecurity incidents at their companies, negatively affected their opinions about the position, with 34% say that being prosecuted after an attack created a no-win situation for them.

Essentially, there will be consequences internally if they report security failings that may have made their organizations vulnerable to an attack and prosecuted by the federal government if they don’t report them. This becomes an even larger concern because government agencies are putting more regulations in place to require organizations to report cyberattacks.

“The role of the CISO is all about managing risk for the organization, but, as regulations tighten, security leaders increasingly need to consider their own personal risk,” BlackFog founder and CEO Darren Williams said in a statement. “High-profile instances of individuals being charged will no doubt add to the pressures they feel but could also be a catalyst for boards [of directors] to support their leaders.”

Improving governance, creating clear lines of reporting, and incident response procedures are must-haves for organizations, but their security teams also must have the resources necessary to put the appropriate security measures in place, Williams added.

The SolarWinds Case

The U.S. Securities and Exchange Commission (SEC) in October 2023 filed charges against SolarWinds and Brown in connection with the massive data breach in 2020 by a threat group linked to Russia’s foreign intelligence services.

In the attack, which underscored the mounting cyberthreats to software supply chains, the bad actors were able to inject malicious code into an update to SolarWind’s Orion remote monitoring software. Many of the companies that installed the update were infected by the malware, with hundreds of companies and almost a dozen government agencies – including the Justice, Defense, and Treasury Departments and Department for Homeland Security – falling victim.

The malware allowed the attackers to steal data from the victim networks and systems.

Misleading Statements

In its charges, the SEC accused both Brown and the company itself of misleading investors and board members about the strength of SolarWinds’ cybersecurity measures, along with downplaying or not disclosing risks, between 2017 and 2021.

The charges were a significant step by the federal government in holding companies and top cybersecurity officers liable for the security of their products and attacks on the organizations. In his ruling in July, the federal judge said the charges related to disclosures made after the attack didn’t have anything to do with its actions in reporting the incident. The charges “impermissibly rely on hindsight and speculation,” the judge wrote.

In 2022, Joe Sullivan, who was CISO of rideshare giant Uber at the time of a major data breach in 2016, was convicted by a jury of concealing and not reporting the attack and of obstructing a federal investigation into an earlier incident by concealing the 2016 breach.

The Good and the Bad

The cases against Brown and Sullivan continue to fuel debate in the cybersecurity industry. However, BlackFog’s survey indicated that while the cases have put a pall over the CISO role, some see positive results coming out of them, including internal changes that improve security practices within organizations. About 44% of respondents said that as a result of such cases, their organizations had implemented new procedures aimed at reducing their exposure to risk.

In addition, 41% – 47% in the UK and 35% in the United States – said their boards of directors were now taking cybersecurity more seriously, though only 10% said this had led to more money for such initiatives. Also, 49% said the threat that a person could be prosecuted in the wake of a data breach would improve accountability and transparency in security professionals. That was felt more in the United States – at 55% – than in the UK, where 43% agreed.

However, only 15% of respondents felt that the threat of prosecution could deter IT professionals from becoming CISOs.

Getting Coverage

One area where such cases might make a mark is insurance. Crum and Foster, an insurance company that offers a broad array of national property, casualty, accident, and health programs, announced in November that it was now offering liability insurance coverage for CISOs.

“CISOs are the front line of defense against cyber threats, yet their role may leave them exposed to personal liabilities – particularly in light of the Securities and Exchange Commission’s (SEC) new cyber disclosure rules,” said Nick Economidis, senior vice president of eRisk at Crum and Forster, said in a statement. “Our CISO Professional Liability Insurance is designed to bridge that gap, providing an essential safety net by offering CISOs the protection they need to perform their jobs with confidence.”