Defining CISO Roles and Accountability in Cybersecurity Disclosures by Matthew Rosenquist, Jim Routh &Micheal W. Reese

The discussion centers on the evolving role of CISOs in the wake of significant cybersecurity incidents, such as the SolarWinds breach. The conversation explores the responsibilities of CISOs, the interaction between different departments, and the need for clear protocols and accountability in security disclosures.

 

 

 Here is the verbatim discussion:

Yeah and and I've had some interesting conversations with the industry you know with a number of recommendations and and let me list off five here and and tell me if you guys agree or if there's a particular one that you guys you know think is is more valuable or maybe one you think should be off the list number one is to clearly document the roles and responsibilities of that ceso right are they going to have final say do they actually have to sign off on it um you know after leg reviews it and gives a thumbs up does any minor changes does it have to go back to the ceso to get approval for these types of disclosures that'd be one uh the the clear document of roles and responsibilities the second if you're going and getting a job as a ceso you really should have you know dno pointing out is somewhat reasonable the content for any kind of security disclosure publicly should come from the experts and the experts are in the cyber security organization and the cyber security leader represents that so uh no I have no quals about that that and I think most cesos would say hey I'm I'm willing to step up to that responsibility and uh that that's part of the pr package here and that's the way it should be so so I I accept that uh as kind of one of the responsibilities um but I I just want to point out that you know it takes two to tango in other words the ciso has to convince the legal department on both what information to share and when to share that information and I don't think that's necessarily A bad thing I think that um there's you know some uh some give and take that uh is probably helpful in protecting the Enterprise uh but uh but ultimately in terms of the technical content of the disclosure it really does fall upon the ceso and I think most cesos are willing and ready to accept the accountability for that yeah and and just to add on to your point I think it's not only legal I think the CEO has probably more culpability than legal or any other executive other than the ciso in this the ciso provides the information and and can make very informed statements and call out you know um uh things that are not factual but at the end of the day I think the the CEO has certain responsibility at being at the top of that pyramid to also make sure that everything that's being said is meeting with their fiary duties is you know accurate and the compan is being forthright to their investors or in this case also prospective investors um and we're not necessarily seeing this right the case is uh pointed at solar winds the company and then specifically calling out the ceso so maybe they're a document so if people want to go look at that right the SEC claims and again this is claims they haven't proven it yet but the SEC claims that the ceso knew of attacks against three different customers one in May 2020 one in October 2020 and the other in December 2020 now after the last attack the one in December they then decided to file a Form 8K disclosure to the SEC this is the form that basically says something bad has happened something material here we need to inform the investors because this can impact them right but they failed to disclose that the vulnerability at issue had been exploited over the previous six months and impacted two other customer much.

 

Highlights:

Documenting Roles and Responsibilities:

  • Clearly outline the roles and responsibilities of the CISO.
  • Determine if the CISO has the final say and approval on security disclosures, including any minor changes after legal review.

D&O Insurance for CISOs:

  • CISOs should ensure they have Directors and Officers (D&O) insurance as part of their employment package, given the potential liabilities they face.

Responsibility for Security Disclosures:

  • The content for security disclosures should come from the cybersecurity organization, with the CISO being the primary representative.
  • CISOs are generally willing to accept this responsibility, acknowledging it as part of their role.

Collaboration with Legal and CEO:

  • The CISO must work with the legal department to determine what information to disclose and when.
  • There is a necessary balance between the CISO and legal to protect the enterprise.
  • The CEO also has significant responsibility in ensuring the accuracy and forthrightness of disclosures, fulfilling their fiduciary duties to investors.

Case Study: SolarWinds Breach:

  • The SEC claims the SolarWinds CISO knew of attacks in May, October, and December 2020 but failed to disclose them promptly.
  • The Form 8-K disclosure was filed only after the December attack, without mentioning the earlier breaches.
  • This raises issues of transparency and timely disclosure to investors.

 

The conversation highlights the critical need for clear documentation of CISO responsibilities and collaboration between the CISO, legal, and executive leadership in managing security disclosures. The SolarWinds case serves as a stark reminder of the importance of timely and accurate communication of cybersecurity incidents to protect investors and maintain corporate integrity.

 

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

 

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

 

https://www.linkedin.com/in/michael-w-reese/

 

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

 

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform