Amidst the legal, regulatory, and geopolitical stressors encircling today’s chief information security officers, there is opportunity.
I fully acknowledge that legal and financial repercussions are personal liability risks to senior cybersecurity leadership like never before. I also recognize that the U.S. government and other governments worldwide, are penning new legislation that will bring mandates to critical industries that will largely be the cornerstone of cybersecurity programs. Furthermore, I understand there are adversaries, criminal and state actors, that are embedding themselves in critical infrastructure and targeting cyber-physical systems bringing an unparalleled scale to threats.
And yet, I firmly believe all of this unrest brings opportunity.
I love leading in challenging times, and I think CISOs should embrace this mounting adversity to do the same. Sharpen your skills and build great teams—cybersecurity requires a broad cut of expertise and partners. This is your chance to embed yourself within the fabric of your organization and become an influencer up and down the org chart. This foundation will enable you to execute on a policy and technology plane in order to protect the safety, reliability, and availability of critical systems that backbone our way of life.
To do so, foundational cybersecurity practices must be honed and in place. At the risk of sounding so 2002, I have to remind you here that most incidents today, more than two decades later, continue to have basic security shortcomings at their core. Well-known vulnerabilities and poor authentication and authorization practices are much more likely to be a root cause of a breach than a zero-day vulnerability and exploit.
The above should be Job 1, and it should be carried out in the context—and with an understanding—of what makes my company or industry tick. Every company has an outcome, and there are core processes, intellectual property, or data that are a direct line to success or failure in generating that outcome. These challenging times are your opportunity to lock down basic security practices, especially those around authentication. Prioritize around foundational security, and protect your company’s most valuable assets with technology such as multi factor authentication. Know where your exposures are beyond critical vulnerabilities, in particular around remote access and insecure configurations, and make decisions in that context.
There is also a natural current in this dynamic that will pull you in closer to business leaders inside your organization. The CISO role has never been exclusively a technical one, and those leaders who choose to approach it in this fashion are not going to succeed. You must work with a broader team of executives and decision makers, from the CFO’s office to business leaders. You must reach across all these tables and be conversant with people inside your organization that are fluent in cybersecurity, and those who are not.
This is especially relevant for CISOs who may be responsible for reporting to C-level and boards, whose members may have limited security understanding. Those leaders not only hold the purse strings but they set the organization's priorities and they can be powerful partners in your efforts to achieve cyber security. The urgency around today’s legislative environment and threats from advanced actors is an opportunity to apply your understanding of the fundamental business and explain external and internal cybersecurity risks in those terms.
The SolarWinds and Uber cases upended any personal risk equations CISOs may have had. Not only are you shouldered with the security of your business, but you also have to watch your back, understand your personal liability during breaches, and be proactive about securing personal legal representation in the event of action taken against you.
The time has arrived to understand—and inquire—about your level of coverage under your company’s corporate directors and officers insurance policy and what supplemental protection you as a CISO should be thinking about. You need to know whether your leadership will go to bat for you in the event an incident results in charges against you and others under you.
Given the rapidly evolving regulatory and legal environment, use your experience and expertise to ensure that business leaders and decision makers understand the risk these changes bring to you as an individual as well as to the broader company, shareholders, and customers.
There’s also an opportunity to demonstrate to business leaders and executives that risk may require a rethink around legal representation. Should you champion counsel with deep cybersecurity experience and understanding?
For public companies, for example, the SEC’s new disclosure rules bring new layers of pressure around materiality and when incidents are declared and reported. This must be a team decision spearheaded by your clear understanding of the company’s security posture, and the legal expertise of an attorney steeped in cybersecurity.
The CISO role is at a crossroads, and many security leaders are lodged in a personal debate as to whether the personal risks—to career and financial security—are worth it. I personally hope we don’t see an exodus from the role; enterprise and critical infrastructure organizations need strong, experienced leaders at the forefront of policy and technical decisions that impact the safety and availability of CI enterprises.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.
