Breach Accountability: Blaming the CISO vs An End to Shaming

Written by

Dr John I. Meakin, Group CISO, GSK
Dr John I. Meakin, Group CISO, GSK

Blaming the CISO

Should a CISO carry the can if a business suffers damage from a hacking attack? This question must sit in the back of the average CISO’s mind more and more frequently as he/she witnesses tremendous growth in the risks to cybersecurity. Indeed, over recent years we have seen a number of CISOs fall on their swords in the aftermath of major, publicized cybersecurity incidents.

The arguments for CISOs taking the blame are pretty clear: the role is a well-established one in many businesses, paid well and with a well-defined set of responsibilities. It is even one that is steadily being entrusted with more investment budget by the business’ leaders as the headline-grabbing, cyber-snafus stir up more concern in the boardroom.

In fact, on average – and this is a gross generalization – there has never been more money available to CISOs to invest in the security of their businesses than today.

The volume and variety of useful technologies available to secure the various aspects of an electronic business is large and grows apace. The body of expert knowledge in the field is also large and well-developed, with sources of expert advice readily available to new and experienced CISOs.

The key tool for the CISO – analysis of cybersecurity risks applicable to their business – is a well-developed methodology that will help the CISO make the right choices of technologies to acquire and deploy to secure their business. The same technique allows them to understand the contribution of peoples’ behavior and business processes to insecurity. Thus, they can include the necessary education and awareness with process improvement in their cybersecurity strategy.

"There has never been more money available to CISOs to invest in the security of their businesses than today"

With the (mostly) ready support of a CIO, C-suite and the board, a CISO is empowered to lead change for better security. So, assuming that we can ignore the increasingly uncommon situation where a CISO is a lonely and ignored voice crying in a corporate wilderness, why should he or she not pay the ultimate price if-and-when business security is compromised?

Of course, there are many potentially valid excuses that would at least share the blame for any insecurity that arises. Perhaps the strongest one is the truism that it will only take one employee ignoring good practice for a sufficient opening to allow a security compromise to occur. In a very fundamental way, the organization will only be as secure as the behavior of the least aware or most careless staff.

If the people in the business are not working for better security, then the CISO’s job becomes one of making up for persistent insecure behavior through careful monitoring and rapid response, and of course changing people’s behaviors is notoriously difficult.

In addition, strong support and budget from top management and the board in a business is not always such a blessing for the CISO. Often the dialogue between CISO and business leaders is very imperfect, and part of the blame for this lies with CISOs who find it difficult to talk about their subject without using jargon.

The CISO is also hampered by a limited ability to express the level of threat and the potential business impacts in terms of reliable, clear data, yet Boards and top management are used to having at least some reliable information on which to make their other business decisions.

Add to this fogginess of the cyber-discussions in the boardroom, the general unwillingness of senior business leaders to admit to the limitations of their knowledge and understanding of the subject – and the net result is a very imperfect outcome. This outcome often puts the CISO on a potentially losing wicket. The CISO is told to ‘go fix cyber’, and is given the money, but fails to make the board understand that cyber does not get ‘fixed’ but is rather an ongoing journey as technology and threats change. As a result, the CISO feels the pressure to deliver some tangible firm improvements, devoting his or her scarcest resource (expert labor) to trying to finish the most tangible few things as opposed to some of the less visible but more effective and durable processes.

In the next round of board dialogue the progress towards ‘fixing’ is still not clear to the board – due to the same old limitations of both sides – and so the CISO goes away again to focus on a visible part of the battle. In consequence, the CISO may indeed implement lots of apparent wins, but may end up losing the battle when the business is targeted by malicious forces.

In the final analysis, the CISO’s task is just very hard. It is complicated to implement and operate a myriad set of security controls across an organization of size – no security team under the CISO’s leadership will be big enough to be able to oversee every security mechanism continuously. Nevertheless, the CISO does have monitoring at his disposal – and increasingly has options (and investment from the business) to implement technologies that provide security that is less reliant on staff or operators always being on the ball.

A good CISO should expect insecurity and specialize in swift detection and agile reaction that minimizes business damage. A good CISO will be telling his or her lords and masters that this is the unavoidable way of the world, but must also keep an eye on the job market every now and again too!

Theresa Payton, CEO and President, Fortalice Solutions
Theresa Payton, CEO and President, Fortalice Solutions

An End to Shaming

A cyber-attack is no longer an if, but a when. For many, this is a startling revelation and once accepted, forces a significant shift in perspective. For too long, we have victim-shamed information security executives when they have experienced a breach. We blame them for not protecting our data and therefore not protecting us. We blame them for not outsmarting criminal syndicates. We blame them for not acting quicker, or slower, or for telling us too soon, or too fast.

Vilifying the victim is conventional wisdom during a data breach. When there is a bank robbery, we do not blame the bank for having money to steal, we ask the bank to put in safety measures knowing theft will still happen. Post data breach, the chief information officer, chief information security officer or board member is often the first to be blamed.

However, that’s just it, isn’t it? They were attacked. When your home or business is broken into, you’re considered the victim of a crime. You are protected under the law and mechanisms exist for you to seek justice, but these basic tenants hardly exist in the digital world.

Information security executives bear an enormous responsibility for the safety of the information they are charged to protect. I firmly believe that every CIO and CISO must understand the data they secure, the fundamental risks to their business and actively monitor and guard their assets. Failure to do so would be insubordinate at best and outright negligent at worst, but the sad reality we live in now is that despite best efforts and even better intentions, cyber-attacks will still happen.

"When there is a bank robbery, we do not blame the bank for having money to steal"

As an industry, we must shift our collective disappointment and outrage after a breach and channel that energy into creative, innovative ideas that fundamentally challenge tried and true concepts. We must integrate security into every portion of the design phase. Security, engineered with the human in mind, integrates seamlessly into business transactions. Security can no longer be an afterthought. Cybercrime has one of the most favorable ratios of reward to risk; that is to say that the risk of getting caught is disproportionately low to the potential profits from the crime. When we look back at the massive attacks of the last year – Equifax, WannaCry, NotPetya – the perpetrators are not in jail cells. Cybercrime will continue to rise because it’s such a good gamble and it’s relatively easy to be a successful cyber-criminal.

Why is this the case? Well, it’s because security is fundamentally broken.

After all, if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe. It’s not that simple. Two fundamental questions came to me in the first 90 days at the White House, and I had to answer them, or we would have had a significant calamity. The first was why, in spite of talented security teams and investments on security, do breaches still happen? The second was why is it, that despite hours and hours of tedious computer-based training and security campaigns, we still make mistakes and click on links? The answer was that it is because we do not design with the human in mind.

Several months ago, I sat at a table with a handful of the best and brightest security professionals working today and posed the following question: can you name for me one problem that cybersecurity has solved in the past 10 years? No one had an answer. Not one. Sure, we could name risks that have gotten smaller, but we couldn't come up with one problem eliminated. Imagine if that was the case at a medical conference or legal gathering – it’s almost unthinkable.

CIOs and CISOs must take action now to change how security is designed. Where should you start? First, admit your people, process and tech are all defeatable. While we wait for better solutions, we cannot continue to place blame erroneously. Product companies play a role and need to work with the human psyche, instead of against it. How many times have you heard, “don't click on links or open attachments” and wondered how you would do your job if you did not click on links or attachments? We force the fallible human to be the first and last line of defense against fraud, extortion, malfeasance and crime.

Ending victim shaming will result in a more transparent, honest community of practitioners who can share how the attack occurred, and doing so will only serve to increase everyone’s safety.

What’s hot on Infosecurity Magazine?