The news that the SEC has sent a Wells notice to Tim Brown, the CISO of Solarwinds, is an interesting milestone in the developing landscape of cybersecurity governance in public companies. Coming shortly after Joe Sullivan’s sentencing, and contemporaneously with the SEC’s new cybersecurity guidelines, could this be the tipping point to see dramatic changes in the corporate executive landscape?
Without seeing the details of the planned SEC action against Tim Brown and other Solarwinds executives, it’s hard to opine specifically on the implications, because the SEC hasn’t publicly stated which securities laws it believes were broken, but this is certainly novel. It’s possible this stems from a routine filing (when I was Akamai’s CISO, I had to attest that I had briefed senior management on cybersecurity risks), or from actions taken after the breach; those would have vastly different effects on cybersecurity professionals going forward.
A Cold-Hard Look at How Companies View “The CISO” Role
The real challenge that CISOs are facing is that all of these actions are putting accountability on the CISO as if they are a peer with other members of the corporate executive team (CEO, GC, CFO, CRO), when in reality, they aren’t even in the same room. The role of a CISO is primarily one of influence, trying to guide and steer an organization to a safer destiny—partly through operational excellence (for areas they have direct control over), but mostly through convincing other executives and their teams to avoid cybersecurity hazards.
To help understand the dynamic in any organization, I’ve put together this quick list of questions that will help illuminate who is really in charge of cybersecurity:
- A breach has happened in your company, and the impact is borderline between material and not material. The CISO argues that it’s a material breach, and the General Counsel says it isn’t. Whose opinion does the company go with?
- The company is launching a new product, and it has a number of security flaws identified by the security organization, which might put the business at risk of exposing sensitive end-user data. The head of product says that fixing everything will delay time to market by 6 months, and the competition already has a product on the market. Does your company delay the product launch?
- It’s time for the board meeting, and the audit committee has asked for a briefing on the cyber risks facing the company. The CISO prepares a list of 20 serious, but hard to fix, risks, none of which are currently being worked or prioritized. The CEO tells the CISO that only risks that have mitigation plans can be presented to the board. What gets presented to the board?
In most organizations, the CISO loses all three of these disputes. While the CISO is the cybersecurity expert for the company, they aren’t usually part of the core decision-making cadre of the business. The SEC is starting to behave as if that isn’t true – they are treating Tim Brown as if he was one of the officers of Solarwinds, rather than an executive with a limited purview. This precedent is likely to continue to place more stress on the CISO’s role, without fixing the underlying problem that most companies face: cybersecurity expertise is often disconnected from their decision-making process, and CISOs are too often chasing the business trying to clean up cybersecurity messes.
Until that dynamic changes, the CISO will continue to be like Aaron Burr – trying to get into the room where it happens, but destined to be more of a historical footnote than a principal player.