Authored by: Taylor Armerding, Software Security Expert at Synopsys Software Integrity Group
It’s lonely at the top, the saying goes. It can also be precarious. The rewards are big, but so are the risks. When things go well, the person at the top gets the credit. When they go wrong, that person frequently gets the blame.
Even when those more directly responsible may be a bit lower on the corporate ladder. A report published by Gartner last year states, “Research shows that twice as many CEOs are being fired over cybersecurity incidents than CIOs or CISOs.”
The March 2019 report, titled 8 Reasons More CEOs Will Be Fired Over Cybersecurity Incidents, goes on to state, “CEOs and other non-IT executives treat cybersecurity like a black box and this negatively impacts their defensibility after an incident … CIOs and CISOs do not transparently address invisible systemic technology risk effectively, which gives their executives a false sense of security.”
What are CEOs doing wrong?
What are the specifics that undermine CEOs’ job security? The report lists eight:
Invisible systemic risk
This is the “black box” syndrome, where decisions like refusing to shut down a server for patching or continuing to use outdated hardware and software to save a few bucks are due in large measure to top executives having no visibility into security. As the report puts it, “This technical debt lowers security readiness and increases the likelihood and severity of a security incident.”
The problem of cultural disconnect is not new or unfamiliar. Any security conference in the world over the past decade or so has featured panels or keynotes exhorting security executives to “speak the language of business.”
But it is still a problem. The report asks, “Why is it that ‘security readiness’ is almost never addressed in the business requirements for a new application as expressed by the business owners requesting the capability?” The answer, the report states: “Because no executive would ever think it necessary.”
“CIOs need to put technology risk and cybersecurity into a business context so decision makers can better understand how their decisions impact their desired business outcomes,” the report says.
Throwing money at the problem
How could more budget be a problem? Because it is more important to manage risk than it is to eliminate every possible risk. If “perfect” security makes it impossible to use the tools that enable the business, then the business can’t function, and eventually there is nothing to protect.
Security officers are treated as defenders of the organisation
Of course, security officers should defend the organisation, but not if it puts them in charge of business outcomes they don’t understand.
“CIOs need to be sure that security does not act as a defender but rather as a facilitator of decisions that balance the need to protect against the need to run the business,” the report says.
Instead of asking, “Who gets fired if something goes wrong?” a much better question is “How can we balance the need for protection with the need to run the business?” While there is no such thing as perfect security, the report says it is possible to create “defensible” security — security decisions that can be defended to CEOs, boards of directors, and other senior executives.
Poorly formed risk-appetite statements
Making statements about risk appetite is related to the accountability problem noted above. Many organisations issue risk-appetite statements, which at least shows awareness. “Unfortunately,” the report says, “most of them are essentially declarations that ‘we don’t like risk around here.’ That misses the point of such statements, which is to create mechanisms that allow for the acceptance of risk within defined parameters.” Or, once again, something that promotes “defensible” risk management.
As we’ve seen over the past decade, society instinctively demands that heads roll after a major data breach. But this is largely due to the same “black box” problem that plagues CEOs. The public assumes that the corporate leader is guilty of incompetence or worse, because they have little to no understanding of risk management.
The report compares it to the public perception of a bank robbery. When a bank gets robbed, the public doesn’t demand that the bank president get fired. They understand that for a bank to function, it has to allow customers in. That means that criminals occasionally get in too.
Once again, it’s all about defensible risk management. There are certainly cases where executives should be fired. However, the report says, “Customers, shareholders and regulators should not lose faith in organisations that are put in defensible positions with their key stakeholders if they are balancing the need to protect with the need to run their business.”
Lack of transparency
Lack of transparency could fall into the category of “It’s not the crime, it’s the cover-up.” In other words, if a CIO or CISO never clarifies where risks exist and why they’re necessary, their risk decisions will be less defensible if there is a breach.
And the worst thing an organisation can do is to claim that there was no security failure when there was.
The report gives two examples from the health care industry. One company acknowledged its failure, responded openly to regulators, and put together a plan to address the problem. The other company denied it had done anything wrong, despite documented evidence to the contrary, and refused to work with regulators.
The first company was fined US$100,000 and settled the case with a three-year consent decree. The second was fined US$16 million and hit with a permanent injunction.
Simple math will tell you that the second company’s fine was 160 times that of the first. That ought to provide some incentive to make your risk management defensible.
How to be more defensible as a CISO
How do security executives practice the kind of defensibility that will help them keep their jobs? It’s a bit like finding the sweet spot between achieving perfect security, which is impossible, and being low-hanging fruit, which is avoidable.
The report suggests that these factors can have a positive impact on a CISO’s defensibility:
Prioritising investments in an appropriate level of security.
Addressing business decision making that creates inevitable but appropriate risk.
Fixing broken accountability that leads to inconsiderate engagement of risk.
Engaging non-IT executives effectively.
Supporting transparency with respect to gaps and opportunities for improvement.
Governance that supports a risk-based approach and the negotiation of appropriate controls.
Managing and uncovering invisible systemic risk.