CISO%20Accountability%20and%20the%20SolarWinds%20Breach%20.png?profile=RESIZE_710x

The recent enforcement action by the SEC against SolarWinds' CISO has sparked significant debate within the cybersecurity industry. This unprecedented move has set a precedent that raises important questions about regulatory governance, enforcement practices, and the individual accountability of Chief Information Security Officers (CISOs). In this blog, we explore the ramifications of this action, its impact on the industry, and the broader implications for cybersecurity professionals and organizations.

 

 

Here is the verbatim discussion:

Industry so what's gotten people's goat about this one yeah I think first and foremost this is a precedent setting event uh and and that you know is not uncommon for the enforcement of new regulatory requirements uh once the the way you know our legal regulatory process works is legislation typically initiates the need for change in regulatory governance uh and then The Regulators figure out how to enforce that change and that usually takes years and there's lots of interaction between the private sector and the public sector to work through the mechanics of how to actually do enforcement and then the practices that enterprises need to adjust are kind of worked out during that process as well and there's somewhat of a collaborative effort between the regulator and the Private Industry to kind of work out the Kink so to speak but when there's an enforcement action taken like this it sets a precedent for how the agency in this case C SEC will uh do enforcement and in this particular case uh we've got a ciso that's uh basically uh being reprimanded for not sharing uh information at the right time uh around uh security posture as well as uh not sharing the right information uh in on both counts uh and the enforcement action uh against an individual uh as a ciso it sets a precedent and that precedent has ramifications and that's what's creating a backlash of practitioners saying ho ho ho wait a minute here this you know this enforcement action appears to be a bit Draconian uh enforcing on an individual and not necessarily warranted and then as we peel back uh kind of the layers uh there's some pretty good arguments to support the notion that uh this is not a precedent that is good for the industry it's actually a precedent that is negative has negative consequences to the industry so some of those negative consequences include uh potential Chief information security officers interviewing for a ceso role and deciding during the interview process that they're uncomfortable with the potential risk to them as an individual and they step down and say take me out of the Hat you know I'm not interested in uh in interviewing any longer and as a case Point um I sometimes do some work helping companies um bring on cesos uh and uh I'm I'm doing a uh a Consulting engagement right now and there's a dozen candidates two of the 12 candidates have chosen not to pursue the role simply because they're concerned about their own personal liability and this case the sec's case against Tim Brown and solar winds uh is used as the Catalyst for uh triggering that response or action now when you're in a marketplace where cyber security Talent is scarce in terms of the availability of talent and the demand for that Talent.

 

 

Highlights:

Precedent-Setting Event:

  • The SEC's enforcement action marks a significant shift in regulatory practices, focusing on individual accountability rather than corporate responsibility.
  • This move has highlighted the evolving landscape of regulatory enforcement and the critical role of CISOs in maintaining security postures and compliance.

Regulatory Process and Enforcement:

  • Typically, regulatory changes involve collaborative efforts between the private and public sectors to develop practical enforcement mechanisms.
  • The sudden enforcement action against an individual, rather than a corporation, has disrupted this collaborative dynamic, causing concern among cybersecurity professionals.

Draconian Measures and Industry Backlash:

  • The enforcement action has been perceived as draconian, with many arguing that it unfairly targets individuals and sets a negative precedent.
  • The backlash stems from concerns that such actions could deter talented professionals from pursuing CISO roles due to fears of personal liability.

Impact on CISO Recruitment:

  • The case has already affected the recruitment process for CISOs, with potential candidates withdrawing from consideration due to liability concerns.
  • This trend exacerbates the existing scarcity of cybersecurity talent, making it even more challenging for organizations to find qualified security leaders.

Negative Consequences for the Industry:

  • The precedent set by this case could lead to broader negative consequences, including reduced cooperation between private industry and regulators.
  • It may also hinder the development of effective security practices, as fear of personal repercussions could stifle open communication and proactive risk management.

 

The SEC's enforcement action against SolarWinds' CISO has undeniably set a controversial precedent with far-reaching implications for the cybersecurity industry. While intended to enhance accountability and transparency, this move risks deterring top talent from critical security roles and undermining the collaborative efforts needed to develop effective regulatory enforcement. As the industry grapples with these changes, it is crucial for both regulators and private organizations to find a balance that ensures robust security practices without unfairly burdening individual professionals. Moving forward, ongoing dialogue and cooperation will be essential to navigate these challenges and foster a more secure and resilient cybersecurity landscape.

 

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

 

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

 

https://www.linkedin.com/in/michael-w-reese/

 

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

 

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

 

Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

 

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

Best of the World Talks on The CISO's Journey: From Expert to Leader

  • Description:

    We are hosting an exclusive "Best of the World" Talks session on "The CISO’s Journey: From Expert to Leader" featuring David B. Cross (SVP & CISO at Oracle), Bikash Barai (Co-founder of CISO Platform & FireCompass) & David Randleman (Field CISO at FireCompass).

    The journey from cybersecurity expert to strategic leader is a transformative one for CISOs. This session delves into the stages of a CISO’s evolution, the balance…

  • Created by: Biswajit Banerjee
  • Tags: ciso