| SecurityWeek’s Cyber Insights is an annual series discussing the major pain points for cybersecurity practitioners. These pain points differ year by year in line with the evolving cyber ecosphere: this year we include discussion on current pressures on the role of CISO, including the new SEC liability rules. Overall, Cyber Insights 2024 talks to hundreds of industry experts from dozens of companies covering seven primary topics. The purpose is to evaluate what is happening now, and to prepare for what is coming in 2024 and beyond. |
The SEC has pitched a potential 2024 curveball at the role of the CISO. It will affect the role of CISO, but we have yet to see how it is played.
The role of the CISO continuously evolves in tandem with the growing reliance on cybersecurity as a business enabler. We’ll look at that. But it is possible that the SEC has pitched a curveball with its increasing assertiveness. We’ll also look at the potential 2024 effect of making CISOs criminally liable for security ‘failings’.
Cause and effect of role changes in 2024
Threat levels
The idea that what goes up must come down seems to apply to everything other than cybersecurity threats and attacks. Certainly, threat and attack levels will continue to increase through 2024. Cybercrime-as-a-service will increase the number of attackers and their access to advanced malware; geopolitics will drive sophisticated nation level incursions and criminal retribution attacks; the coming quantum-driven cryptopocalypse will ensure ongoing ‘harvest now, decrypt later’ attacks; and all will be given a shot-in-the arm by gen-AI automation.
Since it will be impossible to defend against all these attacks, and breaches will inevitably occur, organizations will need to focus on being cyber resilient; “That is,” says Andrew Bayers, director of threat intelligence at Resilience, “being able to withstand the impact of an inevitable cyber incident without significant operational or material loss.”
Against this backdrop of increasing malicious cyberactivity, the role of the CISO will continue its expansion into all realms of the business.
Greater integration with the business
The influence of cybersecurity on business profitability continues to expand; and responsibility often falls upon the CISO. There is a natural temptation to make the CISO responsible for everything that has any connection to security: cybersecurity itself, compliance, privacy, engineering, and now AI.
“I expect further expansion of this position and its responsibilities, mirroring recent trends where CISOs take on combined roles, such as a CISO/CTO or CIO/CISO roles,” comments Emily Heath, general partner at Cyberstarts, and former CISO of United Airlines and DocuSign. “Gradually, CISOs are becoming a more prominent business leadership function, actively engaging in the core mission of the C-suite and wielding increased influence across all business facets.”
Is this continued combination of functions under one person sustainable? Probably not. But predicting the future of the CISO role is like a finger in the wind when the wind keeps changing. Consider the emerging trend to recombine IT and security, sometimes with one person being both the CISO and the CIO. This makes sense since the two disciplines are tightly related, but the CISO has greater influence and responsibility on ‘how’ rather than just ‘what’ technology should be introduced. The modern CISO is gaining greater influence over the CIO than the CIO has over the CISO.
“Some organizations prioritize security over other IT objectives’” says Evan Morgan, former executive director of cyber technology at Ally Financial and an advisor to Dazz, “and find it more effective to embed a CIO function within the broader compliance context, as cybersecurity is increasingly perceived as a critical component of businesses’ continuity and success.”
But this can only work for smaller companies. The two roles are too extensive in larger organizations to be combined under a single person. And if this applies to security and IT, it must equally apply to compliance, privacy, and AI. In some cases, particularly smaller organizations, the roles will be combined under the CISO. In other companies there will be separate leaders. In all cases, however, the CISO will need a deep and close relationship with these roles and how they can be best integrated into the business functions to maintain or even improve profitability.
In larger companies, this tendency to combine roles could lead CISOs to take a step back from the cybersecurity trenches. “In the coming year,” suggests Ilona Simpson, CIO EMEA at Netskope, “I expect to see an increasing number of CISO roles moving from ‘technical/tactical’ toward being board whisperers, cross-functional influencers, and drivers of cultural transformation. The people with these new powers are the right leaders to drive the digital trust agenda which is becoming essential to organizational strategies.”
Burnout and mental health issues will need to be addressed
According to the Chartered Institute of Information Security’s 2022/23 Report on The Security Profession, “Twenty-two percent of professionals work more than the 48 hours per week mandated by the UK Government, and 8% work more than 55 hours which, according to the World Health Organization, marks the boundary between safe and unsafe working hours.” The day-to-day workload, exacerbated by sudden and unavoidable firefights, is the biggest cause of stress.
Absent something unforeseen, both working hours and day-to-day stress are almost certainly likely to increase in 2024. Burnout, one effect of stepping beyond the WHO’s boundary between safe and unsafe working hours, is already a major problem for both CISOs and their staff. It will only get worse in 2024.
“I’m optimistic by nature,” says Heath; “but burnout among CISOs is indeed a huge problem – and I don’t foresee that changing anytime soon.”
Morgan adds, “Burnout among CISOs is a critical concern. The increasing responsibilities and legal actions, combined with the rapid evolution of both cyber threats and preventative technologies, make burnout an actual risk. Organizations must do more to support the mental health and well-being of their cyber leaders.”
Gerald Auger, consultant and adjunct professor at The Citadel (the military college of South Carolina) further explains, through 2024, “Burnout will be a problem as the acceleration of AI and rapid deployment of cloud web apps continues. The attack surface is expanding quickly… Specifically, if the business doesn’t value information security, allocate budget to enable proper defenses (tech and staff), and follow through on policy, the CISO will trend to apathy and burnout.”
Nevertheless, there is great satisfaction in being a successful CISO. Rick Orloff, VP and CISO at 8×8, adds, “Burnout often comes from lack of support to address the issues and the CISO gives up; that is, burns-out. This is very different from running large complex programs as a successful CISO. The latter often don’t suffer from burnout – they thrive on their accomplishments.”
CISOs, SEC, and the liability curveball
The SEC has shown willingness to hold CISOs legally liable for security failings, and will more strictly enforce its own disclosure requirements. It provided clarification on these disclosure rules (first announced in July 2023) on December 18, 2023.
The combination of a four-day disclosure rule; an element of subjectivity in the definition of a ‘material cybersecurity incident’; and the separate threat of personal criminal liability will create new pressures for the CISO (and the board).
Four days is not long to determine whether an incident is material. And what does ‘material’ really mean? The likely definition is whether it would reasonably affect the decision-making process of a potential investor. But who decides on this?
Effectively, an incident is material if the incident victim decides it is material by reporting it as material. If the victim believes it is not material and consequently does not disclose the incident, it is at that moment not material. But the SEC can later overturn this belief – and a non-disclosed incident suddenly becomes something that could lead to prosecution because the SEC has later decided, well it really was material.
The primary questions are whether this will result in ‘over-disclosure’ by businesses; whether personal liability is reasonable; and what overall effect SEC requirements may have on cybersecurity in 2024 and beyond. There is much that will need to come out in the wash of 2024.
Over-disclosure
“There is a lot that is being figured out now about what constitutes a ‘material’ cybersecurity incident, and where the minimum bar should be set when it comes to a company’s security posture. As a result, we’ve seen a large variety in companies’ recent cyber incident disclosures, including both the frequency, level of detail, and even timing,” notes Daniel Trauner, senior director of security at Axonius.
He believes that 2024 will prove a ‘reckoning’ year – “including precedent-setting enforcement actions”. But he adds, “I’d like to see some more proactive discussions in this area by the SEC and others vs. relying on ‘regulation by enforcement’. If regulators and the industry aren’t proactive in this area, we may end up in a situation where companies play it safe and over-disclose information to the point of creating noise that masks truly material incidents.”
Every company has incidents, but not all of them should require public disclosure.
The liability threat
The threat to CISOs is real. “Sanctions may range from suspended and real prison sentences to hefty monetary fines and prohibitions to occupy managerial positions for a certain period of time,” explains Ilia Kolochenko, chief architect at ImmuniWeb. “Regrettably, cybersecurity insurances will unlikely cover legal actions targeting employees of the insured organizations, leaving the former alone amid the mounting legal risks and little support from employers.”
The iconic example of SEC prosecution was that of Joe Sullivan — relating to his as time CSO at Uber. The issue revolves around whether Sullivan hid a breach from shareholders. Sullivan asserts that since the company had a bug bounty program, and that since his team negotiated with the ‘hackers’, effectively paid a bounty, and prevented any public disclosure, this was not a ‘material’ incident and didn’t require disclosure to shareholders. Ultimately, it was a clash between subjective interpretation from the CISO versus legal interpretation from SEC.
Is personal liability reasonable?
A very common view is that it is not reasonable to hold CISOs liable for security failings when their options are curtailed by business not personal restrictions: budget, manpower, board directions and so on.
“I’m in the camp that CISOs are advisors to the business,” comments Auger. “There will always be residual risk for an organization, and it’s the CISO’s job to communicate the risks and deliver multiple risk reducing strategies that have different resource (people, money, time) costs for the business. The business decides what the risk appetite is and what they are willing to invest to achieve that risk level.” In short, any liability should be company liability, not personal liability.
“CISOs are too often overlooked or low on resources, funding and/or business support to properly implement change,” adds Andrew Shikiar, executive director at FIDO. “Resting the legal liability on one individual is overlooking the vacuum of responsibility and engagement at the top of organizations that is preventing meaningful change and true cyber resilience.”
Heath points out, “A CISO is expected to collaborate with the company to identify policies that cannot be met, assess the associated risk levels, and communicate them transparently throughout the organization, including to the C-suite and the board… If a CISO has identified and communicated a high-impact risk to the relevant stakeholders, and everyone has chosen to accept it, should the blame fall on the CISO alone?”
Philippe Humeau, CEO and co-founder of CrowdSec, expands on the same concept. “The company should be made liable, yes. Being able to prove an under investment (if the company could afford it without operating at a loss) would rather be CFO/CEO responsibility in my book. But if the CISO failed in his role when properly financed, then yes, responsibilities should be identified.”
Morgan warns on the possibility of creating a risk-averse approach to security. Apart from complicating the existing challenge of recruiting and retaining CISOs, “It might foster a risk-averse culture, where compliance is prioritized over performance and ends up harming the business.”
Megan Brown, partner at Wiley Rein LLP, and formerly an advisor to the attorney general at the DoJ, similarly notes that the SEC’s good intentions and potentially beneficial results may still backfire. “It could ease the ability of CISOs to obtain resources. I could see this additional agency scrutiny causing more routinized communications among the Board, senior management, the legal department, and the security organization.”
But like Morgan, she fears it may precipitate a move toward over-reliance on compliance. “This may make security professionals gravitate more toward a compliance mindset and start to operate like accountants and auditors. It also may make the CISO rely more heavily on the legal department, which may not be efficient or promote agile security.”
How will this affect the position of CISO?
Could this liability lead to an exodus of CISOs? “For sure,” says Heath. “Organizations won’t be able to offer CISOs compensation for the high level of risk inherent in their role.” Morgan agrees. “There’s a real possibility that imposing legal liabilities could lead to an exodus of talent in the CISO role.”
It’s a genuine possibility, adds Mike DeNapoli, director and cybersecurity architect at Cymulate, but one that organizations must strive to prevent. “Each time a CISO leaves,” he says, “that person takes away massive amounts of valuable information and experience specific to the organization. This means that there will be a ramp time before the incoming CISO can fully assume responsibility for the defense of the organization – which proves significantly more detrimental to the organization than keeping the CISO would have created.”
There are two likely outcomes. “Making CISOs legally liable for security errors is contentious and could lead to negative consequences like an exodus or increased stress,” comments Anurag Gurtu, CPO at StrikeReady. “However, it might also lead to greater management support and more CISOs on boards.”
Morgan adds, “On a positive note, the threat of legal liabilities could lead to greater awareness and support from upper management. Recognizing the increased stakes, organizations might be more willing to allocate adequate resources and budget towards cybersecurity measures to mitigate risks, thereby strengthening the overall security posture.”
But DeNapoli doesn’t see much changing overnight. “The new regulations must face and overcome challenges before the Judiciary if they are to create long-term industry change,” he comments. Specifying the New York State Department of Finance regulation 500 and even GDPR, he suggests, “After the first legal challenge succeeded in enforcement of fines and other penalties, that’s when business as whole began to move. There will, however, be short-term movement as organizations begin their planning on how to deal with these regulations if, and when, they survive the Judiciary challenge.”
The whistleblowing insider threat
There is a further possible, but perhaps less likely, outcome: a conflation of whistleblower and insider threat since SEC pays rewards to whistleblowers who are likely to be insiders. “The scenario where insider staff might manipulate systems to claim SEC monetary rewards represents a significant risk,” says Morgan. “If legal liabilities lead to lucrative whistleblower opportunities, it could incentivize malicious or unethical behavior among employees, potentially leading to fabricated or exaggerated claims of security negligence.”
DeNapoli is more doubtful, calling it a possible but low-reward insider option. While the SEC does pay rewards, its track record is limited. “Additionally,” he continued, “such reporting is public knowledge – including whoever filed the report – so the potential for punitive retaliation is high [even if illegal]. This results in high risk and limited reward, which should dissuade most from attempting it. Unless the insider is attempting to destroy the company, which does happen, they stand to gain very little.”
While opportunistic reward-driven whistleblowing remains a possibility, Orloff also doubts the potential for it to become a true insider threat, likening it to fraud. “CISOs can control and audit systems, services, inputs, and outcomes,” he comments. “There are many controls used to audit and detect the manipulation of data making it very difficult to conduct fraud.”
Summary
The only certainty for CISOs in 2024 and the years ahead is that they’re in for a bumpy ride. Malicious use of AI will introduce a higher intensity of attacks, geopolitics guarantees an increase in elite APT-level attacks, struggling economies may limit resources, ransomware will grow and may include wipers, business responsibilities will expand, and compliance requirements and restrictions are increasing dramatically (apart from SEC, FCC and FTC requirements, Europe’s AI Act and NIS2 will have international consequences). And on the bottom line, CISOs are likely to be increasingly criminally liable for their actions and/or inactions.
“The job is difficult — I think for CISOs, even more so than for their staff, it is exceptionally difficult,” comments Charles Blauner, CISO in Residence at Team8 and a former CISO at Citi. “Over the last year or so, what had been a difficult job and an under-appreciated job, has now become a job that also potentially puts you at personal criminal or civil liability.”
Related: Whistleblowers: Should CISOs Consider Them a Friend or Foe?
Related: CISO Pay Increases Are Slowing – a Look Behind the Figures
Related: The CISO Carousel and Its Effect on Enterprise Cybersecurity
Related: CISO Conversations
