Who Carries the Weight of a Cyberattack?
Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility.
But is that fair – or even right?
After all, the most common sources of data breaches and other cyber incidents are situations caused by employees: weak passwords, phishing emails and social engineering attacks. Are CISOs unfairly scapegoated, both in the workplace and in the courtroom? Are they shouldering the weight of cyberattacks because leadership cares more about public relations?
At the end of the day, boards of directors and high-level executives want to show their stakeholders and customers that not only is someone being held responsible, but it is also the person with the word “security” in their job title. Ultimately, this may make organizations more vulnerable to attack.
“Every time there’s a high profile breach, business needs a fall guy,” Stuart Mitchell, head of information and cybersecurity recruitment at Stott and May, told CIO Dive.
At one time, the CEO bore the responsibility for a cyber incident and its aftermath. But increasingly, CISOs have become that fall guy. Not only are they losing their jobs, they often face legal culpability for their organizations’ data breaches. This creates a precedent that could put cybersecurity at greater risk.
Often a CISO may not control all the factors which affect their organization’s security. For instance, consider a company’s funding allocation. A study from RSA 2022 found that organizations are spending a lot of money on security tools, but they aren’t always the best or most effective. This is because the CISO isn’t necessarily the one making the decisions about which security systems a company needs. The final call often comes from someone higher in the executive path who lacks the technical background to choose wisely.
Let’s take a closer look at two major cyberattacks: SolarWinds and Uber.
The SolarWinds data breach has become the new standard of how devastating a supply chain cyberattack can be. Threat actors first gained access to the SolarWinds network in September 2019. However, the attack went undiscovered until December 2020: much longer than the industry average of 95 days. The consequences were severe.
The breach impacted organizations in both government agencies and the private sector. The company took a major reputational and financial hit, resulting in dropping stock value, which led stockholders to sue. They claimed SolarWinds violated the Exchange Act, and that leadership misrepresentation led to financial losses.
The SolarWinds CEO was initially part of that lawsuit, but the judge overseeing the case dropped him from the claim. The CISO, however, still faced liability along with the CFO and financial representatives.
“The biggest item is that the judge did not dismiss the part of the lawsuit on the CISO’s personal liability for the breach,” John Bambenek, Principal Threat Hunter with Netenrich, told Security.
The second case involves the former CSO for Uber. Unlike the SolarWinds lawsuit, this was a criminal trial stemming from the 2016 data breach that exposed the personally identifiable information of millions of drivers and customers. The CSO was found guilty of obstructing justice for failure to report the data breach and making payments to the attackers. Neither the CEO nor any other person in leadership at Uber was held to the same standard of responsibility.
As Forbes pointed out, the government “amplified the prevailing notion that the CISO/CSO should be blamed for any major cyber event.”
The Uber conviction took many cybersecurity professionals by surprise. It also raised new concerns about what happens in the aftermath of a data breach.
Holding someone accountable for a high-profile cyber incident looks good to the public, who are increasingly concerned about the security of their personal information. Data breach remediation policies often include how to best spin the incident to the public. After an attack, showing that someone is to blame gives the appearance of the organization taking responsibility.
Perhaps that appeases the general public. But it is the stakeholders standing to suffer personal financial loss who hold the most sway. The SolarWinds lawsuit showed that they want accountability; a judge decided that accountability lies with the CISO rather than the CEO or anyone else.
But putting all the weight of a data breach on the shoulders of the CISO to the point of criminality or personal liability could result in weaker security across the spectrum. “Personal liability for corporate decisions… will lead to a lack of interest in our field, and increased skepticism about infosec overall,” Dave Shackleford, owner of Voodoo Security, told The Washington Post.
There’s already a serious talent shortage. Making the CISO personally liable for breaches could cause fewer people in the security industry to move into leadership roles. In turn, responsibilities will spread across different leadership positions, with no one willing to add the word “security” to their job title.
I began writing within the branded content/content marketing space in 2011, including articles, blog posts, SEO, Q&A, and profiles. My specialties are cy…
2 min read – In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely…
4 min read – In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns. We now…
4 min read – Generation Z, which Pew Research Center defines as those born after 1996, is considered the first digital-native generation. This group of young people always has the latest technology at their fingertips. Yet even with this strong digital connection, the National…
There’s good news, and there’s bad news. The good news is that the number of cybersecurity professionals has reached an all-time high. According to (ISC)2’s annual Cybersecurity Workforce Study, 4.7 million people currently work in a security-related job. The bad news: the study also found a worldwide gap of 3.4 million cybersecurity workers. 70% of those surveyed also said they think their organization’s security team is understaffed, decreasing its effectiveness. As cyberattacks grow increasingly sophisticated and threat landscapes expand, organizations…
In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…
With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…
In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
Who Carries the Weight of a Cyberattack? – Security Intelligence
Who Carries the Weight of a Cyberattack?