Charles Blauner has been immersed in the chief information security officer role since its infancy, having held CISO titles at JP Morgan and Deutsche Bank, and global head of information security at Citi, among other positions, from 1994 to 2019.
Today as Team8’s Operating Partner and CISO in residence, Blauner continues to advise and strategize with security leaders, and recognizes that this isn’t the same job it was two decades ago. As more operational technology and connected medical devices are connected online, public safety and patient safety become top priorities for security leaders who cannot allow prolonged disruptions to services.
“Safety and security while related are in fact different. Safety requires you to think in much more absolute terms. Security allows you to manage risk. Safety, there’s no risk management, it’s more life or death,” he said on this episode of the Nexus Podcast. “This is exactly where the IT/OT collision happens,” as more CISOs are finding themselves responsible for securing OT networks, devices, and processes.
As the stakes get higher for CISOs, they’re also faced with increased regulatory, legal, and personal liability stressors that are forcing many in the role to take a hard look at their futures and whether the stakes are indeed too high.
“When I talk to a lot of sitting CISOs, there is a ton of concern about the changes to their personal risk equation,” Blauner said, adding that not long ago, the worst that could happen to a CISO and other C-level executives is that their jobs would be in jeopardy as the result of a breach. “That was part of the equation and you just accepted that as part of the role but you just figured I’d go on to my next role. But now it’s not just about getting fired, now it’s about getting prosecuted. Now it’s about bankrupting your family. Now it’s about the potential for jail or career-ending rulings coming down.”
SolarWinds CISO Tim Brown stands as the totem for CISOs in such a precarious situation after the company’s notorious late-2019 breach. Last October, the U.S. Securities and Exchange Commission (SEC) charged Brown and SolarWinds with fraud and internal control failures, accusing him of overstating the company’s cybersecurity practices and understating or failing to disclose known risks.
The SEC’s new disclosure rules, meanwhile, add further such pressures to CISOs of public companies, requiring them to disclose “material” incidents in a tight timeline without providing concrete definitions of materiality.
“The world desperately needs good CISOs. And I think the SEC in an unintended way is potentially discouraging that from happening,” Blauner said. “The SEC’s intentions are actually quite good; they want the safety and soundness of companies. They just don’t have good tools available to them, so they’re using 100-year-old rules in blunt ways to try to fix things. So CISOs are scared.”
CISOs are now not only re-evaluating their career options, but what options they have around legal protections from their employers whether in the form of Directors and Officers insurance or whether their liability is covered in any way under cybersecurity insurance policies. CISO negotiations may have a different flavor for the next several years. The industry may also have to brace for a potential exodus of leaders from the role.
“Go for those CISO jobs, but be picky about the companies you’re going to work with because it’s a lot more dangerous to make a bad choice today,” Blauner said.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
