Search
Close this search box.

Media & Insights

The SEC to CISOs – Welcome to the Big Leagues! (FORBES)

October 30, 2023, the SEC declared the CISO a material senior executive.

The SEC took a serious step on October 30, 2023. As law firm Sullivan & Cromwell LLP explained, the government entity “filed a complaint against SolarWinds Corporation and its Chief Information Security Officer alleging securities fraud and failures under the internal accounting controls, reporting, and disclosure controls provisions of the Securities Exchange Act in connection with allegedly material cybersecurity weaknesses and risks.” (However, it is important to note that, according to the Wall Street Journal, not all of the hack’s victims were tied to SolarWinds.)

I believe this move indicates something deeper—specifically, overnight, the SEC has essentially elevated the CISO role within the C-suite.

CISOs Should No Longer Be Buried as Mid-Level Managers

By holding a CISO accountable for fraud on behalf of an entire corporation, the SEC has recognized the critical role CISOs play in providing transparent insights into the state of cyber risk.

Often buried as mid-level managers at companies, most CISOs have two to three layers between them and the board of directors, making timely and transparent communication challenging at best. But with the issuance of these charges, the SEC has forced to the surface a long-festering issue regarding the CISO role: the balance between authority and accountability. From my observations, many CISOs feel the pressure of accountability for protecting the digital assets of their organizations, but they simultaneously lack the authority and resources to deliver on the objective of enterprise protection.

The SolarWinds case demonstrates that CISOs can and will ultimately be held accountable for their actions, and this will have far-reaching and material impacts on organizational structures, role definitions and the overall corporate governance of cyber risk. To illustrate this point, I’ll examine some key considerations for CISOs and companies at large. 

Considerations for CISOs

From what I’ve observed, the CISO community had already been feeling fatigued—overworked and underappreciated despite dramatic increases in financial compensation. This filing could very well cause some CISOs to depart their roles and others to change their demands in accepting new employment. Moreover, in-house CISOs will now have a more compelling case to demand that their job duties and compensation packages be reconsidered.

Specifically, I expect more CISOs to ask to be included in corporate directors and officer insurance (D&O insurance). This type of insurance provides protection for board members and the most senior executives. Historically a nice-to-have for many CISOs, the lack of this coverage will likely become a dealbreaker for them. Similarly, I predict that more CISOs will seek to clarify the specific terms of their employment agreements, wanting to fine-tune and add details about their roles, responsibilities and authorities, and perhaps even indemnification clauses.

Currently, I’m seeing two general schools of thought in the CISO community regarding this new level of accountability. One school perceives this as a great threat, and CISOs are reacting defensively, primarily seeking to minimize their personal exposure. The other general perspective is that the SEC has given the CISO community a tremendous gift—a huge promotion that recognizes the materiality of a role that has historically been underappreciated.

Considerations For Companies

Company leaders will have to make considerations as well.

The SEC alleges that the SolarWinds CISO painted an inaccurate picture of the cyber risks facing the company. The fact that no other executives were charged may indicate that the SEC didn’t find that other executives had sufficient expertise or firsthand knowledge to be accountable for fraud.

This begs a moment of self-reflection for company leaders at SolarWinds and other organizations: If no other executives understood what was going on with cyber matters, why not? How could a publicly traded IT service management company have such a material cybersecurity governance blind spot? Regardless of the root cause, it appears that the overall cyber risk governance capability at SolarWinds failed, exposing shareholders and customers to material risks.

Some executives in the business world may take comfort in the fact that the attacker was, according to CNBC, a “Russian-backed hacking group” and that commercial enterprises have little chance of withstanding attacks from such advanced persistent threat actors. But in my view, that line of thinking misses the point and provides no cover. The breach occurred—and the failure appears to have been in the understanding and management of the communications of cyber capabilities to shareholders. Therein lies the potential learning opportunity for other companies seeking to avoid a similar fate.

Setting aside the particular details of the SolarWinds case, it is possible to infer some areas of focus that other companies might consider when evaluating how to strengthen cyber risk governance.

Expertise beyond the CISO: Do the board and the executive teams have sufficient expertise to understand the cyber threats facing the organization as well as the cyber defense capabilities?

Process rigor: Are there clear processes and external review points that allow for the identification of exceptions by an overarching cyber risk committee?

Role appropriateness: Is the CISO’s role clearly defined and placed? Is the CISO a risk management-oriented role—having both the accountability and authority to understand and mitigate cyber risks? Or is it a technical role in a larger IT organization where risk management is often subordinated to a broad technology charter that includes cost, customer satisfaction, etc.?

The CISO as a salesperson: Is the CISO put into situations that demand putting a positive spin on the state of cyber risk? It is increasingly common to use the CISO in conversations with customers and prospects to convey confidence in managing cyber risk. Is that an appropriate activity for a CISO? Or is it better left to the head of internal audit for financial matters?

The sooner company leaders start asking these questions, the better. It’s clear that the SEC is willing to back up its new disclosure rules with actions.

The Ripple Effects of the SEC's Charges Against the SolarWinds CISO

The ripple effects of the SEC’s charges against the SolarWinds CISO will propagate for years, and many are just beginning to internalize the implications.

It is important for boards and executive teams to take a pause now; to think deeply and in an open, candid fashion. The business world changed on October 30, 2023—and it’s time for business leaders to take stock and evolve appropriately. Although it may have taken us by surprise, the CISO is now an even more important part of the C-suite. Congratulations!

Learn more about The CAP Group or follow me on LinkedIn
See this article on Forbes,  Medium, or Substack
 

Founder and CEO – The CAP Group

Author