At Shift Up Summit, CISOs debate evolving security role

At last month’s Shift Up Summit in New York City, aimed at security and risk management professionals, chief information security officers had mixed feelings regarding how recent SEC regulations have shifted the direction of the role.

Some chief information security officer say the stakes of SEC disclosure rules have elevated the position to the prominent levels of other high-up officer positions. Others seemed to say that the pressure demotes the CISO to a position where the “S” stands for scapegoat.

“Today, a lot of CISOs get the blame, like, ‘You didn’t educate your leadership. You didn’t influence them appropriately.’ I think some companies are looking for this magic CISO that both understands the technical, but then also has this ability to influence really strong personalities and professional executives, without any authority to enforce their recommendations,” said a panelist during a discussion about how the position of the CISO has changed.

The inaugural summit, sponsored by Microsoft, Kovrr, Silverfort, ISS Corporate, and Valence Security, brought together IT pros from a variety of industries to discuss strategies to help CISOs and cybersecurity professionals communicate effectively with C-suite executives and regulators. The event took place on March 20 at Microsoft’s Manhattan headquarters.

The “shift up” refers to the communication of risks from CISOs to the top of the organization.

“A strong shift up strategy is specially designed to communicate with, convince, and unite executive stakeholders so they can strategically allocate the appropriate corporate resources (financial, staffing, technological) to maximize and manage a business’s cyber resilience,” Tom Boltman, VP of strategic initiatives at Kovrr, wrote in a March 4 white paper this year.

One ruling capturing attention amongst the CISO community (and Shift Up panelists) included the SEC’s lawsuit against the software company SolarWinds and its chief security officer. (The company currently awaits a decision on its motion to dismiss the case.)

The SEC’s filing alleges that the company’s CISO “was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.” (SolarWinds, in November, defended itself with written responses to the allegations.)

To Gram Ludlow, SVP and CISO at Marriott Vacations Worldwide, who was on the panel, recent lawsuits demonstrate that outside regulators are making cybersecurity a priority and raising the role to the level of other C-suite officers.

According to a 2024 annual Litigation Trends survey from global law firm Norton Rose Fulbright, 40% of the 400-plus individuals and surveyed organizations experienced litigation in the area of cybersecurity, data protection, and data privacy in 2023, up from 33% the previous year.

As litigation concerns shift up, so do concerns of some CISOs.

“Now we are going to be spending a lot more time doing CYA [cover your ass] to make sure that we’re not going to be the ones going to court. Suing us…making us liable doesn’t make our job any easier,” Jeff Moore, CISO at Staples, said during the panel.