In most organizations, the CISO has always been at the receiving end of any cyber-attack while this may seem to be the ideal thing to do, it is not always the right thing and the fact of it all is that in the overall, the CISO may even use the experience garnered from such an attack to update. It’s highly probable that having been the victim of a cyber-attack may actually go a long way in enhancing your CV.
In the cybersecurity world, the past decade has been fraught with questions on whom to blame over a data breach or cyber incident. When such things happen, the victims usually want to hold somebody accountable for their perceived loss which should be expected.
What, however, happens in most cases is that chief information security officers (CISOs) and chief information officers (CIOs) are given the boot, occasionally, the CEO is shown the door too. While these actions may placate the aggrieved, it’s not always correct that their actions or inactions are directly responsible for the breaches.
A situation that quickly comes to mind is that of one of the world’s biggest credit score agencies, Equifax, that experienced a catastrophic breach that affected 147 million people in the US, 14 million UK citizens and 100,000 Canadians. The CISO, CIO, and the CEO had to vacate their positions as a result of the cyber-attack.
David Rimmer, the former CISO of Europe at Equifax, who was at the company during the breach, while contributing to the incident said that decisions to remove the CISO, CIO, and CEO are not necessarily made for the right reasons.
The ideal thing to be done in such instances is to take decisions with the best interest of the organization at heart and not playing to the gallery with the view of satisfying shareholders and the press. How do you expect to provide continuity at this very important time that it’s of the essence by disengaging the key people who will provide leadership during the breach response?
Mark Walmsley, the CISO of law firm Freshfields Bruckhaus Deringer, believes that the act of firing someone can be a knee-jerk reaction of being in a crisis.
Think of it, it’s more like putting a round peg in a square hole since you will only end up bringing in someone new as a way of deferring attention. This can be a very risky venture, you will be replacing an experienced hand, someone who knows the nitty-gritty of your business and has all the relationships within the business with a “newbie,” that will come to learn the ropes.
A side of the divide might consider this a great idea but how? There is a crisis, the organization is in a state of confusion, you don’t have a blueprint of how to rectify the problem, and you think the best alternative is to bring in a “stranger” who knows absolutely nothing about anything, that’s suicidal.
A breach brewing
A report has it that almost all the CISOs that took part in the Cyber Security Connect UK conference in Monaco are of the opinion that a cyber breach is brewing in every organization and it’s not a matter of if, but when. They advised that organizations must gear up to be hit by a cyber-attack at some point in time and understand that there’s no magic wand of knowing when.
Nobody says that some people should not be axed if found culpable and contributory to catastrophic failings, in such an instance, there is nothing anyone can do about it, heads must roll. However, if you know that everything that was supposed to be done was actually done, why go about punishing people for an offense they didn’t commit and had no power to forestall.
Such an action no matter what it’s meant to prove can’t be justified in any way. It does not add any value, rather it’s retrogressive and counterproductive. When a CISO knows the organization is vulnerable and goes about to do all the patching that is necessary, realizing risk, and managing it, for all intents and purposes, that’s as much accountability as you can have.
It might sound absurd but the truth is that a lot of CISOs in some organizations have to go cap in hand to plead with the management to understand the inherent risk of using IT in 2020. According to the Nominet survey covering more than 400 CISOs in the US and UK, conducted by Osterman Research, it was discovered that 6.8% in the US and 10% in the UK believe they would lose their jobs in the event of a breach.
Having dwelt much on the immediate impact of a cyber incident, it’s important you understand what the situation can look like after. Yeah, the CISOs and CIOs have been kicked out, how do they possibly fare?
Do you think they should carry about the stigma of a cyber-attack? Will anyone of them be treated as someone who voluntarily resigned from a position?
Joe Hansard, the cybersecurity recruitment consultant at La Fosse Associates, believes they won’t be affected negatively especially in their future employment prospects. “It would be how they reacted to the breach that they would be judged on,” he suggests.
There is, however, the chance that if they are sent off just immediately after the breach as was seen at Equifax, there may not be ways to prove they did all that was necessary to curtail the breach and any future employer may find it difficult to determine if they did all the right thing to avoid the incident in the very first place.
It’s important to note that an Optiv Security study reveals that 58% of CISOs believe that experiencing a data breach would put them in better stead to become more valuable to future employers.
The actual scenario
“The taste of the pudding is in the eating.” While a lot of people will not want to pass through such an experience especially as it has to do with a cyber-attack, the stark truth is that you will prefer to have somebody who has experienced an incidence to be your CISO.
Most often, before an organization employs, the usual practice is to ask for years of experience, what experience beats the fact that you were at an organization that suffered a breach and you passed through the thick and thin?
You may undergo constant preparatory tests to see what an attack could be like and how to ward it off, the absolute truth is that nothing can be compared to the real deal. If you are lucky to have somebody who has experienced the real action in your team, then you are on safer ground.
You can easily liken it to somebody who has been at the real war front having live bullets flying all over to somebody who is just rehearsing with rubber bullets. A dead man can’t come to life again just like a dead company will take a mammoth effort to revive.
What it boils down to is that once you are carrying out your functions in the organization perfectly possibly as an engineer, CIO or CISO and by so doing, you are matching the risk appetite of the organization with your actions. If the organization has to suffer a data breach or cyber incident, by all reasonable standards your position in the organization should not come to any threat and if for any reason you have to be disengaged from your position, the experience you’ve garnered from the exposure should even go on to boost your CV.
Organizations, CEOs, and investors should make concerted efforts to understand the risk appetite and stop putting undue pressure on the IT and security teams. It’s completely unfair to allow anybody who is not responsible for any cyber breach to take the blame just in the name of letting the world see that something is being done.
Data breaches are on the increase, if for any reason your organization has to relieve you of your position, you’ll find a new role, it’s a matter of when and that may even be the launchpad you’ve been waiting for.