Leadership Is Still Washing Their Hands of Cyber Risk

By John A. Smith, CEO of Conversant Group

Where it comes to owning responsibility for cyber risk, executive leadership has moved in and out of the spotlight like character actors in a play for over a decade. Circa 15 years ago, most IT teams went it alone, working to “keep the lights on” while also attempting to secure the enterprise against threats. Once cyberattacks and related global headlines became too voluminous to ignore, we (rightly) began hearing calls for CEOs and boards of directors to get involved—these attacks had become too catastrophic for senior leadership to defer awareness, decision-making, and blame. As breach damages soared, several CEOs were ousted. Finally, many executives answered the call, briefly taking the stage in security operations.

But it didn’t last long; companies worldwide found a loophole enabling them to defer risk back to IT in the form of an organizational change—the appointment of a Chief Information Security Officer (CISO)—offering up a technical leader with a high enough title that CEOs could move quietly back into the shadows. Exit, stage right. As an unsurprising aside, it was a series of cyberattacks by Russian hackers that inspired the appointment of the very first CISO ever—Steve Katz–by Citicorp in 1994. However, it was many years and hacks later that first the government, and then the financial services industry, and then others adopted this role.

So, have these top executives taken responsibility, and has the CISO role mitigated risk? I argue that they largely have not, but it is crucial to understand why. Without full leadership awareness of the threats, risks, and potential consequences of attacks, IT teams are not able to obtain the buy in and budget necessary to fully understand their risk estate and mitigate it. And ultimately, as we will discuss, CISOs and IT are still largely on the front lines of accountability and blame today. Yet, sadly, they are unable to affect the security outcome without support from the top and resources from external parties. Our aim is not to disparage CISOs or IT; but rather, argue that given the current structure, support, and focus of the CIO role and IT department, they are set up to achieve suboptimal results and all the blame when things go south.

Why the CISO Model Still Fails to Address Cyber Risk

When companies scrambled to appoint CISOs en masse around 10-15 years ago, some brought in new blood—the most experienced security and compliance leaders appropriate for their needs. Others, particularly in the mid-sized business ranks, simply reorganized, elevating current senior IT staff to the title. In either case, it accomplished a few things that moved the actual end goal of security even farther away (and this dynamic continues today).

First, it provided a buffer and deferment layer between the CEO/board and the ranks of IT struggling daily with too much risk, too little staff, and insufficient budget allocation to secure the business. I don’t necessarily blame boards and CEOs for this; security is hard. Most executives don’t understand it; it’s considered a highly technical cost center that presents a complex problem with thousands of moving parts you can’t ever fully solve. Senior leaders have many conflicting priorities, all of which are screaming for budget and requiring solutions. While some are very technically knowledgeable, most aren’t, and finding one person to shoulder the load is an obvious (though inadequate) solution.

Unfortunately, executives can never fully pass off this responsibility because data is far too central to the organization’s ability to function. Because top leadership, boards, and even private equity firms make critical budget allocation decisions, they must be made to understand the vulnerabilities, potential solutions, and the real-world results of failure to act (in a language they can understand). Then, they must own the decisions on which risks to take based on budgetary allocations. While CISOs have a powerful title, we see in our daily work they still have less access to the board than they truly need to sway top leadership. They need a voice—and they need the right information to make top leadership truly understand what is at stake.

Second, in our experience, most (but not all) CISO’s are quite focused on aligning their security programs against compulsory and recommended compliance frameworks like NIST, CIS, HIPAA, FedRAMP, and the like. These frameworks don’t focus enough on ensuring the underlying security controls and technology are configured and orchestrated in a manner to prevent a breach. They are also static: they don’t iterate in real time with the very fast-changing threat actor tactics or rapidly shifting organizational threat surface. In other words, CISOs and IT teams often don’t know what they don’t know—where the threats truly exist in their environment, what needs to be fixed and how, and this puts them in an even weaker position to present accurate information to those holding the purse strings. I don’t blame them, either—IT has a huge span of control, and even security-focused staff can quickly lose pace with current threat actor techniques when in their single corporate environment for a length of time.

Finally, while this model has provided a layer of culpability to shield the CEO and boards in the event of a catastrophic breach, so what? Who cares about blame (aside of the hapless, blamed CISO) when the organization’s finances, reputation, and market position are a pile of ruin? Blame is a pointless game. Class action lawsuits are still likely to be undeterred anyway if the organization was found to be negligent in proper security practices, regardless of how compliant they are with frameworks and statutory requirements. CISOs and their associated teams must be focused on preventing this destruction so businesses, jobs, and industry can continue unabated by focusing on where the real risk lies—not in their written policies, regulations, and frameworks, but in the underlying tech stack and its configuration and orchestration.

This can be done by leveraging external, rigorous, and regular assessments of all key systems, applications, and controls. Threat intelligence must be applied to an organization’s technology orchestration, and this can only be accomplished by a CISO operationalizing a risk register on the principle of Zero Trust. Zero Trust is not a single or set of processes, people, or products; it is an orchestration of all three. These activities, along with internal/external penetration tests and internal and external vulnerability scans (no less than monthly), must be leveraged as feeders to the operationalized risk register, which can then be presented to executive leadership in terms understood by them (dollars and potential damages). Executive leadership operating as a team, not just the CISO or any group or individual in IT, should be responsible for accepting discovered risks for the organization.

IT Teams Need Support: Top Down, and Outside In

It’s time for CEOs, boards, and even private equity firms to enter the stage again and get educated. It’s essential that they truly understand what it at stake—who is to blame isn’t the core issue. They must be involved and provide the leadership and resources that CISOs and technical teams need to secure the organization.

It’s true that CEOs and boards have many competing priorities. But when the business is decimated by a catastrophic breach, there is no greater priority than that—and by then, it is often too late to shine a spotlight on it.

About the Author

John A. Smith is the CEO of Conversant Group and its family of IT infrastructure and cybersecurity services businesses. He is the founder of three technology companies and, over a 30-year career, has overseen the secure infrastructure design, build, and/or management for over 400 organizations. He is currently serving as vCIO and trusted advisor to multiple firms.

A passionate expert and advocate for cybersecurity nationally and globally who began his IT career at age 14, John Anthony is a sought-after thought leader, with dozens of publications and speaking engagements. In 2022, he led the design and implementation of the International Legal Technology Association’s (ILTA’s) first annual cybersecurity benchmarking survey.

John Anthony studied Computer Science at the University of Tennessee at Chattanooga and holds a degree in Organizational Management from Covenant College, Lookout Mountain, Georgia. John can be reached online at our company website https://conversantgroup.com/.