The Accountability Debate: Senior IT Professionals and Professional Decisions

The Growing Accountability of Chief Information Security Officers

In recent years, there have been several high-profile cases of chief information security officers (CISOs) facing individual scrutiny and potential enforcement action for decisions that have affected their organizations. As companies access and handle more personal data than ever before, regulators are reexamining the significant responsibility this brings. From negligence to deliberate cover-ups, these cases highlight the need for increased accountability in the realm of cybersecurity.

The SolarWinds Case

One notable case is that of SolarWinds CISO Tim Brown and CFO Bart Kalsu, who received Securities and Exchange Commission notices of potential enforcement action over alleged violation of securities laws. The issue stems from their response to the Russian hack of the Orion network monitoring software in 2020, which affected more than 30,000 organizations. The concern here is that their mistakes could result in substantial fines, jail time, or jeopardize the security of millions of people.

The Uber Case

In May 2023, former Uber chief security officer Joe Sullivan was sentenced to three years’ probation and given a $50,000 fine for covering up a massive 2016 data breach at the ride-sharing giant. Sullivan had previously joined Uber in 2015, just after the company had disclosed a 2014 data breach compromising the personal information of about 50,000 consumers. This second breach exposed the data of approximately 57 million users. Sullivan paid the hackers a sum of $100,000 to prevent them from disclosing the breach. While some security professionals defended Sullivan’s actions, arguing that he did nothing wrong, it is clear that he violated federal law by concealing important information from the public.

The TSB Case

In April of this year, Carlos Abarca, the former chief information officer of TSB Bank, was fined £81,620 (US$103,900) for operational resilience failings. Abarca was found to have breached the Senior Manager Conduct Rule 2 by failing to ensure that TSB complied with PRA Outsourcing Rules. TSB’s data migration to a new IT platform in 2018 resulted in significant technical failures and disruption to banking services. The failure to adequately supervise a third-party service provider led to major disruptions for TSB’s 5.2 million customers. This case highlights the crucial role that senior managers play in ensuring effective outsourcing management.

The Importance of Accountability

These cases demonstrate that it is not merely minor failures that incur consequences but rather the failings that have a significant impact on customers, shareholders, and the wider market. The accountability of senior executives, including CISOs, is increasingly under scrutiny. The question arises as to whether these cases will result in CISO applicants demanding higher compensation to compensate for greater responsibility.

At the RSA Conference in San Francisco, Gadi Evron, CISO at venture capital firm Team8, expressed the concerns of many CISOs following Sullivan’s trial: “Should I leave this occupation?” and “Why is the CISO the only one standing trial?” These concerns highlight the need for a reassessment of the expectations and responsibilities placed on CISOs.

The Role of Crisis Communication Drills

In order to mitigate the risk of liability, organizations can take proactive steps. One suggestion is to hold crisis communication drills to ensure preparedness in the event of a security incident. This allows organizations to identify potential gaps in their response plans and improve their communication strategies. By practicing and refining incident response plans, organizations can better protect themselves and their customers.

Defining Role Responsibilities and Professional Decisions

Another important factor is for CISOs to clearly define their role responsibilities and understand the correct terminology. This clarity can help prevent misunderstandings about expectations and ensure that decisions align with the organization’s security strategy. Additionally, it is crucial for CISOs to approach their responsibilities with seriousness and avoid panicking in the face of a security incident.

Conclusion

The increasing accountability of chief information security officers reflects the changing landscape of cybersecurity. As companies handle more personal data and face potential regulatory scrutiny, senior executives must be prepared to take responsibility for failings that may impact their customers, shareholders, and the broader market. By embracing accountability and taking proactive steps to improve their organizations’ cybersecurity posture, CISOs can help protect both themselves and the public.