Start your day with intelligence. Get The OODA Daily Pulse.
Chief Information Security Officers (CISOs) are increasingly finding themselves under the legal microscope, as evident in recent cases involving SolarWinds and Uber, brought forth by the SEC and FTC, respectively. This article illuminates the changing landscape, drawing comparisons and distinctions between it and the journey of Anti-Money Laundering (AML)/Bank Secrecy Act (BSA) officers over the past 20 years. It aims to offer a nuanced commentary on the increased accountability of CISOs.
In an era where cybersecurity transcends IT departments and has become a board-level priority, CISOs are indispensable in protecting organizational assets from digital threats. Their actions are under constant review, and their impact on the organization is more significant than ever.
Nearly two decades ago, AML officers found themselves in a parallel situation. Post 9-11, their roles became more scrutinized and developed an increased level of personal accountability. The prominence of AML functions at board-level discussions surged, as the risks associated were not just financial but also existential, particularly concerning financial institution licensing. Over time, AML officers have faced personal accountability from regulators and enforcement agencies, a trend now emerging for CISOs.
Today’s CISOs operate in an environment where standards and best practices like NIST and ISO exist. Nevertheless, many of their expectations are not as well-defined and established as the guidelines provided for AML officers. In addition, living by some of these standards requires a level of interpretation, let alone execution, that can vary significantly across organizations.
The legal challenges faced by the CISOs of SolarWinds and Uber have raised numerous concerns within the cybersecurity community, with many voicing that CISOs are being unfairly targeted. I don’t share that opinion. To be sure, the responsibility of CISOs is a central topic of corporate governance conversations, and these court cases are crucial, not just for the legal precedents they might set but for the broader message they convey about the expectations imposed on CISOs. As noted, AML officers had the advantage of operating under well-defined regulations, with established best practices and clear expectations from regulators. Because of this, they faced personal liability when their programs were found to be lacking.
For AML officers, the focus was on their programs’ effectiveness and ability to thwart money laundering activities. While personal liability was linked to the efficacy of their efforts, it was rare for AML officers to face charges if they made good-faith efforts, even in problematic situations. Legal liability usually occurred in conjunction with allegations of willful misconduct, fraud, or obstruction – similar to the troubles faced by the CISOs of SolarWinds and Uber.
The issues and circumstances surrounding the SolarWinds and Uber CISOs vary, but I believe people were personally named due to alleged misconduct, not specifically for the efficacy of their cyber programs. While these cases may set a precedent that increases CISOs accountability in ways that go beyond the conventional scope of their roles, it does not, in my view, suggest additional legal risk should good-faith efforts be made to run an effective program. I believe this has also proven out in the case of AML officers.
Navigating the Future: Aligning with Leadership and Fostering Accountability
The current climate necessitates that CISOs have a robust understanding of cybersecurity best practices and the ability to navigate complex legal and ethical challenges. Alignment with executive leadership and clear communication are paramount. CISOs must ensure they have the support and resources to implement effective cybersecurity programs and clearly communicate those risks and challenges to the board and executive team.
The same requirements also became critical in the AML officer role. In that industry, a notable shift occurred as proficient AML officers started placing greater emphasis on the significance of ‘tone at the top’ in their career choices. Many simply resigned and took roles at other institutions where senior leadership took the necessary time and interest in understanding the issues, providing resources, and making challenging decisions to give the AML officer a fighting chance. I certainly see that same scenario playing out in the cybersecurity industry.
This is not to say that AML officers and CISOs should simply get everything they ask for; that would also be irresponsible to numerous stakeholders. However, I believe personal legal liability should not be considered a negative. Almost all AML officers and CISOs I have met already operate at a level of integrity above that standard anyway. The recent cases brought to light, which included naming CISOs personally, do, however, show me that what should be happening, is happening – CISOs in many companies belong at the highest level of leadership as their role is as critical as any when it comes to maximizing the potential of the organization.
Considering the intensified scrutiny and expanding accountability within the corporate world, it is paramount for CISOs to adapt and evolve, much like AML officers have done over the past two decades. As we have delved into the comparative journeys of CISOs and AML officers, it becomes evident that while there are distinct parallels, CISOs face unique challenges in an environment where expectations are not as clearly defined, yet personal liability is increasing. However, this increased accountability should not be viewed negatively; it underscores the vital role of CISOs in contemporary corporate governance and highlights the necessity for robust cybersecurity practices, clear communication, and strong alignment with executive and board leadership. Just as AML officers have navigated their evolving landscape, CISOs must embrace their pivotal role, championing cybersecurity resilience and integrity at the highest levels of leadership, ultimately ensuring the protection and prosperity of the organizations they serve.
Important footnote: I have never met either of the CISOs noted in this article. However, I know people I hold in very high regard who have nothing but positive things to say about both gentlemen. Additionally, other than simply reading the complaints, I have no knowledge or judgment related to the accusations or details surrounding the circumstances faced in either case.