CISOs and former CISOs getting liability chills

The chief information security officer (CISO) gig is increasingly exposed to the elements, as agencies like the SEC have begun saddling CISOs with legal consequences in cases of incident mismanagement.

“Because personal liability is a real possibility, the tenor of conversations with executives and board members may change. By extension, there is a definite chill in the CISO community—a general feeling that a hard job just got a lot harder,” read a Feb. 26 post from law firm Allen & Overy.

Recent SEC rulings and liability pressures have had a chilling impact on the chief position, according to CISOs, former CISOs, and IT pros who spoke with IT Brew, leaving many to move on or stay away from the position.

“To really victimize either the enterprise, or the principal players in the enterprise, that are acting on good faith in roles as CISOs is doing a lot of damage to the entire industry. And part of that damage is the fallout, either CISOs leaving the job or CISOs that are competent, and choosing not to do the job,” Jim Routh, current chief trust officer at Saviynt and former CISO.

A mighty wind. In October 2023, the SEC announced charges against SolarWinds and its CISO “for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” SolarWinds’ public statements about its cybersecurity practices and risks differed “starkly” from internal discussions and assessments, the SEC charged.

The high-profile case of the SEC vs. SolarWinds demonstrates a chilly standoff between government and security pros. (The company awaits ruling on its January motion to dismiss.)

“It’s created, obviously, a more stressful environment, for a CISO who’s already operating in a very stressful environment,” Deron Grzetich, cybersecurity lead at the digital-services firm West Monroe, said, noting how low budgets and high risks are prevalent in many IT environments.

“CISOs, I think, are getting concerned about how their actions are going to be viewed in the light of day, post-incident,” Anna Rudawski, partner at global law firm Allen & Overy, told IT Brew.

A February 2 amicus brief, cosigned by “thirty individuals and entities with vast experience in cybersecurity,” including many former CISOs, showed support for SolarWinds in its case against the SEC. “Knowing that they may be unfairly and disproportionately exposed to personal liability rather than treated as a victim could deter CISOs from creating a ‘trusted relationship’ with the Government,” read the brief.

It’s actually not that cold out. Not every CISO, however, is feeling the lia-chill-ity. Mandy Andress, CISO at Elastic, sees the increased liability pressures as a natural progression of security becoming a business-critical function.

“I’ve heard a lot of folks make the analogy that where CISOs and security is today is similar to where CFOs were before Enron activities,” Andress said. Andress is also on the company’s directors and officers (D&O) policy—insurance increasingly getting attention among CISOs, Rudawski said, which may cover legal costs associated with prosecution.

How to find a little shelter. Make sure that the board gets regular updates on risk management, and demonstrate that risk is regularly on a company’s radar, Rudawski recommended to today’s CISOs.

“Where we see regulators in particular get a little testy or where they’re more likely to enforce is where you have a risk that’s been identified three years running, and there’s never been a plan in place to fix it,” Rudawski said.

Routh advised that today’s chief information security officers follow a practice he learned from years of experience as former CISO at public companies like American Express and Aetna: Establish crisis management plans and communication strategies using predetermined definitions of materiality confirmed by the executive team, in advance of an actual crisis.

But count Routh as one more professional out of the CISO game, which offers a little more free time.

“I have the luxury of being able to read for leisure, and when you’re a CISO, you read because you have to consume information,” Routh said.

Or maybe he could even go for a walk outside, if the weather’s warm.