The chief information security officer (CISO) role has been under increased scrutiny from regulators over the past few years.
This is especially true in the US, where the former CSO of Uber, Joe Sullivan, was sentenced to three years of probation and to pay a $50,000 fine in 2023 after a 2016 breach exposed the data of 56,000 Uber users.
That same year, the Securities and Exchange Commission (SEC) charged Timothy G. Brown, then SolarWinds’ CISO, with fraud and internal control failures.
Speaking to Infosecurity during the RSA Conference 2024, Gerome Billois, a cybersecurity and digital trust partner at cyber consultancy Wavestone, predicted that similar cases could soon happen in other parts of the world, particularly in Europe.
Sullivan, who now runs his own security consultancy, spoke about his experience during the RSA Conference.
He and fellow panelists Charles Blauner, president of Cyber Aegis, and David Cross, SVP and CISO of Oracle SaaS Cloud, shared recommendations for CISOs on how to prevent such extreme situations and protect themselves against legal pressure.
Gadi Evron, founder of Knostic, revealed that Brown was initially invited to join the panel, but his legal advisors convinced him not to.
Why CISOs Have Become the ‘Scapegoats’
Blauner said the pressure induced by the rise in cybercrime is having a ripple effect on CISOs, meaning that success at their jobs is no longer assessed only by their employer but also by the regulators.
“The heat is coming because you’ve got these entities in government responding to the huge rise in cybercrime. It’s not like the old days, when there was an incident and most people wouldn’t notice. When stuff happens today, the whole world knows,” he said.
Sullivan also pointed to the US National Cybersecurity Strategy calling for “shifting the burden for cybersecurity away from individuals, small businesses, local governments, and infrastructure operators, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
He said this new national policy is one reason companies are under more pressure to deal with cyber incidents.
This pressure is then passed on to the CISOs, CSOs or cybersecurity managers and directors.
No tags.
