A new era of litigation is threatening the cybersecurity community. In the last 18 months alone, Tesla is suing two former employees for cybersecurity violationsthe Federal Trade Commission (FTC) Successfully indicted Uber’s former chief information security officer (CISO) to hide a data breach and the Securities and Exchange Commission (SEC) has put SolarWinds and its CISO in charge with fraud due to non-disclosures and misstatements about corporate cyber risk. In addition to corporate and government enforcement, businesses are served class action lawsuits for data breaches.
For publicly traded companies, failure to report or disclose internal control deficiencies and incidents are investigated by the SEC and relevant jurisdictions. Private companies are not immune from these responsibilities, as federal, state and local jurisdictions impose cybersecurity responsibility. For example, the New York Attorney General’s office is leveraging regulatory authority of the State Department of Financial Services (DFS) regarding digital assets. In another example, the The FTC has taken action against online alcohol marketplace Drizlya private company, over allegations of security flaws that led to a data breach.
Some argue that the SEC only regulates publicly traded companies, but the agency has jurisdiction over many private companies as well. Under federal securities laws, every security that buys or sells stocks or investments must be registered with the SEC. This includes companies of all sizes, private and public.
Security officers are taking the hits
In this environment, many cybersecurity leaders are eschewing CISO roles for a less risky path, while others are concerned about the future of their entire profession. In an effort to reduce their statistical exposure to legal implications, some companies change CISOs frequently, and some CISOs change companies every two years. Uber has completely dissolved its CISO role to adopt a distributed responsibility model. It seems like many are taking steps back and moving in different directions. Is this progress? Will there be CISOs in the future?
With the rise of cybersecurity and law enforcement threats from governments, businesses and CISOs are more vulnerable than ever. While a balanced carrot and stick approach is essential, we also need programs that help fill the gaps. Here are some areas where we can collectively improve as a community.
Sufficient security budgets to complete tasks
Companies should be held accountable for their cybersecurity budget. Cybersecurity initiatives start with the tone set from the top. CEOs, CFOs and boards of directors should take responsibility for establishing cybersecurity budgets equal to or greater than those of other essential back-office functions, such as human resources, finance and IT. Cybersecurity requires tools and resources to effectively fulfill its role and mitigate internal control deficiencies.
Recognition that third-party attestation may not address all risks
I often find myself discussing compliance audits or security risks. Companies should engage in risk-based controls to address security risks beyond the scope of compliance. This proactive approach can establish a governance structure for independent reporting of cyber risks that is communicated both top-down and bottom-up.
It may be difficult to distinguish between security researchers and criminals
Penetration tests carried more weight because they focused on finding significant exploitable attacks. But over the past 10 years, penetration testing has turned into an expensive compliance obligation. While the pen-test results are significant, they are easily detectable with routine vulnerability scans. Some CISOs instead turn to bug bounty programs to reward people with recognition and compensation for reporting software bugs. However, bug bounty programs must discern the fine line between security researchers and bad actors. Bug bounty programs can create an additional layer of complexity: When does a bug bounty turn into an incident? Who are you engaging with? Is this a security researcher, a criminal, or someone walking a fine line in between? We need a better approach to increasing the business impact of penetration strategies. Perhaps we also need to invest in ways to help people turn their bug-hunting hobby into a fruitful cybersecurity profession.
The government’s enforcement of non-officials is not fair
The current governance structure for CISOs creates significant challenges. Reporting could result in termination, while failure to report could result in personal liability from the government. This polarizing conflict is harmful to the entire cybersecurity community.
Security officers are employees contracted to protect companies. Employees should not be personally prosecuted simply for doing their jobs. Corporate governance must come from the top: from the officers and the board of directors. Therefore, we should be cautious about holding individuals accountable without having clearly defined rules of engagement. Just as clearly defined malpractice rules govern a doctor’s right to practice medicine, the government and private sector must establish malpractice rules for security officers to level the playing field.