When most of us discuss cyber security threats, we tend to focus on the threat actor and their tactics, techniques, and procedures (TTPs).
But lately the conversation has broadened. In the wake of many recent major cyber incidents, the actions taken (or not taken) by the unfortunate organisation’s chief information security officer (CISOs) are under just as much scrutiny as those of the threat actors. CISOs are increasingly being held directly responsible for cyber security failings.
And while this may make life unpleasant for the CISOs in post right now, there is an argument to be made that these recent cases may improve the lot of CISOs to come.
Uber, SolarWinds, Sellafield, UnitedHealth
After the 2016 Uber breach, Uber’s CISO was convicted of fraud after they attempted a cover-up and made a payment of Bitcoin to threat actors. The CISO was found to have obstructed justice by not disclosing the breach to the US Federal Trade Commission (FTC), despite ongoing contact.
In late 2023, the US Securities and Exchange Commission (SEC) announced fraud charges against the CISO of SolarWinds for misleading investors because they did not disclose “known deficiencies” within the organisation.
Holding individuals to account for poor practices in business is not new, whatever their role. And it is common for organisations to hold their CISOs to account (or scapegoat them) for poor security practices. Usually this is done using internal HR mechanisms or ends with the CISO resignation.
Take the recent Sellafield breach that we covered in a previous article. The CISO in that case had been in their position for over ten years but left after Nuclear Leaks showed that the UK nuclear plant had been in special measures since 2022 for, “consistent failings on cyber security, according to sources at the Office for Nuclear Regulation (ONR) and the security services.” (It should be noted that the official position of Sellafield was that its CISO, after more than a decade in post, did not leave because of the revelations.)
Another step towards holding individuals to account was taken recently in the US, in response to the UnitedHealth Group (UHG) breach, estimated to have cost almost US$2bn.
Senator Wyden (the current chair of US senate’s committee on finance) has written to the SEC and the FTC, claiming that the CISO and CEO of UHG have contributed to the breach. Senator Wyden describes the CISO as ‘unsuitable’ for their role, despite being experienced in technology and holding an SVP role at Microsoft:
“One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cyber security official appears to be unqualified for the job. Steven Martin, UHG’s chief information security officer (CISO), had not worked in a full- time cyber security role before he was elevated to the top cyber security position at UHG in June 2023, after working in other roles at UHG and Change Healthcare. Although Mr Martin has decades of experience in technology jobs, cyber security is a specialised field, requiring specific expertise. Just as a heart surgeon should not be hired to perform brain surgery, the head of cyber security for the largest health care company in the world should not be someone’s first cyber security job.”
The Senator also highlights the failings of the CEO and the board which, “should be held responsible for elevating someone without the necessary experience to such an important role in the company”. The implication is that there’s a need for ongoing education and a greater level of understanding of cyber security required by the UHG board.
The ‘C’ in CISO does not stand for ‘ceremonial’
Boards must realise that CISOs are not ceremonial heads of departments but vital parts of the executive leadership. They are responsible for helping drive the management of cyber security risk within their organisations.
Regulators across all industries recognise this – which is why mandatory cyber incident notification is becoming more commonplace across different regulatory regimes. Such notification requirements will only continue to put the spotlight on individual CISOs and CEOs, and what boards are doing to manage cyber security risk.
In other words, it is past time that the boards that have not yet given their CISOs a seat at the table make room for them.
Next steps for boards
Board education: Establish a programme for educating the board on cyber security issues, topics, and the latest trends. This should include threat intelligence and recommendations for responding to it.
Ensure the competence of the CISO: Establish whether the current CISO is fit for their role, based on their experience and performance. As the UHG case demonstrates, the hiring decision should not be based on the number of years in general technology, but on those spent specifically in cyber security.
Director and officer insurance: Check that existing D&O insurance covers CISOs.
Governance review: Review current internal reporting and management of risk to gain an understanding of whether any outstanding identified issues have been resolved or not. Note that understanding the risk is not the same as acting to mitigate it.
Expectations of the wider management body
Validate third parties: Confirm that any third-party providers of security services have the appropriate experience and skills to do so.
Understand current capabilities: Conduct a review of current cyber security capabilities using industry experts who work to an industry recognised framework (NIST CSF 2.0 is perfect for this). Like other reviews, it should be conducted on a regular basis as part of ‘business as usual’ activities. Internally produced reports will be an input for this exercise but should not be considered a replacement.
Threat intelligence: Understand the threat landscape and how specific threats facing the organisation may manifest themselves.
Final thoughts
Cyber security can no longer be seen as a side-of-desk activity that can be learned and practised on a part-time basis. Holding CISOs to account will reinforce this message, and so should be considered a positive step. Accountability elevates the role; it recognises the importance and impact that cyber security can have on a business.
As with other professions, there will be teething problems that will have to be worked through. But this is something that all other fields have done and is something that will be achieved over time. “Cyber security is a board level issue” – a phrase thrown around frequently but without an understanding of its wider context, even though it is now an irrefutable reality. Accountability and professionalism are the price to pay for cyber security being a board-level issue.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Insights
Thomas Murray Partners with Socura to offer Managed Detection and Response to clients that need support to stop cyber threats 24/7.
The collaboration will see Thomas Murray offer Socura MDR to help its clients proactively identify and respond to threats.
Thomas Murray and Crimson7 Announce Strategic Partnership to Modernise Threat Informed Security
Thomas Murray and Crimson7 are partnering to combine their expertise and create innovative solutions for tackling key cyber security challenges.
Thomas Murray and askblue partner to support financial institutions in meeting the Digital Operational Resilience Act (DORA) requirements
Thomas Murray and askblue are collaborating to provide services that help financial institutions comply with DORA requirements.
Threat Intelligence for Law Firms: Protecting clients in the digital age
As a law firm, protecting your clients' data and reputation is more critical than ever in today’s digital-first world.