Just in time for Halloween, the U.S. Security and Exchange Committee (SEC) dropped a spooky surprise for the cybersecurity industry when it charged SolarWinds and their CISO Timothy Brown for misdeeds in connection with the now-infamous 2020 hack.
According to the reports, the company and its CISO are accused of failing to implement the proper controls for guarding against the attack that led to a massive supply chain incident that impacted countless companies and government offices.
Oh, and also plenty of fraud.
For all the details on the CISO allegedly selling company shares before news of the attack’s impact was fully publicly available and security team members allegedly lying, feel free to check out the reporting.
To be clear, the CISO is not in trouble because his company was attacked. Once again, it is the alleged cover-up and not the crime that is at the heart of the matter. We already saw enough hand-waving when Uber’s CISO Joe Sullivan found himself in hot water over some questionable NDA practices.
While it may be juicy gossip, the fraud component is probably the least interesting part of the story. The SEC has a long history of going after people and organizations that defraud investors. It is a major part of why they exist. The apparent failure of the CISO to take action to protect his company just adds color to the story.
What is more interesting is the fact that these charges follow a new set of rules by the SEC that will put greater burdens of responsibility on the leadership when it comes to transparency and disclosure.
Back in July, the SEC issued a new set of rules that will require organizations to take cybersecurity risks much more seriously.
The gist of the new rules is the expectation that the companies will be more forthcoming about what they know and when they know it when it comes to cybersecurity matters that could be deemed “material.”
The rules now require organizations to:
In just three bullet points, there is a lot to parse out as it pertains to a couple of different areas of cybersecurity policy.
For starters, this aims to shorten the time that an organization is able to keep the knowledge that it has been attacked to itself. Disclosure probably does not mean that they need to issue a press release right away, but it does get at a couple of issues.
Far too often, organizations fail to disclose breaches at all because doing so can negatively impact the stock price, consumer confidence and have plenty of other undesirable effects. This is all before any obligations they have to notify those who may have had their data stolen.
However, leaving partners, shareholders and others who have a financial interest in the business in the dark is not a viable option.
Even if starting an incident response effort can take some time and notifying the press before having something concrete to say might be impractical, the parties involved clearly benefit from faster notification.
One interesting point is on the phrase “material” because it is vague enough to be potentially very expansive. We can expect plenty of companies who previously may have had minimal regulatory obligations to find themselves falling under the purview of the SEC’s rules.
The next point to look at is that the SEC, and really many agencies, want to push leadership to take an active role in knowing what their security policies and protective measures are. Think of this as the SEC removing the plausible deniability that many organizations may have had in place previously.
It also significantly elevates the role of the CISO.
The problem is that there is often a communication gap between the two sides that has to be overcome for both the good of meeting the SEC’s requirements as well as actually improving the security of the organization.
Bringing the CISO into C-suite-level discussions is a relatively new development across most industries. Mostly because the CISO title is relatively new; it is not that cybersecurity was viewed as wholly unimportant, but it does not directly contribute to the bottom line of the company. At least not in the sense of contributing to pushing that line higher.
But as the level of risk that impacts the business has grown from issues surrounding cybersecurity, leadership has been forced to give the CISO a place at the table. It is true that the CISO is generally a direct report of the CIO, CFO or sometimes CTO. But the organization is increasingly looking to the CISO to stand up and help them get to the right security posture for protecting the organization.
While everyone recognizes that increased collaboration between leadership and the CISO is important, it is not without its challenges.
The first of which is that explaining cybersecurity issues to the leadership can be hard. CISOs typically come from a technical background and will speak to their expertise, identifying problems that can be difficult for the leadership to really grasp the importance of. Especially if the CISO is not properly presenting the risk in the business terms that the leadership finds relevant.
The next challenge is how the CISO is supposed to advocate for implementing company policies and investing in security technologies.
A recent study found that the leadership is 15% more confident than the CISO in the organization’s ability to protect its data. While one may think this number would have been bigger, it is still concerning.
Thankfully, there is some good news to be had here. There is general agreement between the two sides that malware (40%), insider threats (36%) and cloud account compromise (36%) are some of the top problems that they are facing.
While the argument that malware is bad for operations is a fairly straightforward sell (see: Ransomware), CISOs may face challenges when it comes to explaining the business impact of insider threats.
In this next section, we take a look at a couple of ways that CISOs can communicate the impact of insider threats to their leadership and offer some ideas for how to become a better advocate.
Conceptually, explaining what an insider threat is to your leadership is fairly straightforward. It is when we start to dive into the details that it can be a little more complicated.
Insider threats is a fairly general term that encompasses the threats posed by the people within your organization.
While the vast majority of attackers do come from outside the organization from hackers, the insider threat can be far more dangerous because they already have the right credentials and access to log in legitimately and move around to steal data or harm systems.
Insider threats come in a couple of different types:
Here below are a couple of talking points for how to explain the insider threat in terms of business impact.
Not every insider threat is an Edward Snowden or disgruntled employee. According to the Verizon Data Breach Investigation Report for 2023, a full 13% of incidents are the result of negligent insiders who simply messed up. These errors can include:
While these are simple human errors, they can lead to data leaks or open the door for an attacker to breach the organization.
For their part, regulators do not care much if the breach happened because of an intentional attacker or unintentional action by an employee. If private data is exposed, then the harm is already done.
While there are those who will mistakenly say that cybersecurity is a drag on the bottom line, falling victim to an insider threat incident is like a bottomless pit when it comes to how much it can cost an organization.
According to IBM’s Cost of a Data Breach 2023 report, insider threats are the most expensive incident type, costing an average of $4.9 million per incident.
Dealing with an insider threat can quickly skyrocket when it comes to the costs involved. These can include:
One significant, still-open case is that of Tesla, which had an insider breach earlier this year. Two former employees leaked safety reports to a German news outlet, along with the personally identifiable information (PII) of thousands of Tesla employees. They even exposed Elon Musk’s details, including his Social Security number.
Tesla now faces a potential GDPR violation fine of some €3.26 billion euros, equaling 4% of revenues. While it will not sting as much as the drop in price of Twitter (now known as X), it would still be a pretty big hit for the Musk-owned company.
People understand that attacks happen. In 2023, it is basically a fact of life and part of the cost of doing business that nefarious individuals will try to break in and get up to no good.
That said, customers have a basic expectation that their data will not be put at risk by the people they are paying to entrust it.
An insider threat incident can have a more significant impact on how the organization is viewed. Reputational damage can harm both the retention of current customers and make gaining new customers an uphill battle.
Being the CISO means not only pointing out the problems but also finding ways to solve them.
The list of strategies for tackling insider threats is long, but here are a few useful places to start.
Most people in your organization are not hired because they are experts in security.
It is up to the CISO to organize sessions that cover the proper way to handle data and systems.
Teach employees to:
People’s behavior doesn’t often deviate day-to-day in the workplace. They have the files and systems that they need to do their job, and all that should not have too much risk or variation.
Understand what your employees’ baseline activities are and be able to flag when something out of the ordinary is happening.
Identify where the most critical areas are for monitoring and use technology to monitor them. Think about financial transactions, touching customer data and the like.
Actions that include exporting or deleting data should be easy to highlight if you use solutions that automate looking for it. This is valuable for both when a malicious or just negligent insider does something they should not, and can even allow you to block the action. Or, at the very least, hasten your investigation into what happened.
Whether insider or external threat, an actor can only impact data and systems they can access.
Limit what they can do by restricting their access to only the systems they need to do their jobs. This refers to the principle of least privilege.
Train admins, managers and IT staff to only provision access to what they reasonably believe is necessary, and then follow up with them to see what is excessive or not being used.
By removing access, we close holes in our attack surface that can leave us unnecessarily open to attacks.
Nobody likes to rock the boat, especially not in a business or corporate setting.
Telling people to move fast and break things sounds great once you’ve built an empire.
No security person wants to get the call that the protections they put in place broke a critical business process and are costing the company in lost revenues and tempers.
While no CISO is ever likely to see extensive prison time or even face real financial penalties for an attack happening, there is still a responsibility to step up and let people know what the problems are that put the organization at risk.
In this sense, the CISO has a true fiduciary responsibility to tell unpopular truths and advocate for security imperatives. Even if the leadership is not going to sign off on every initiative and not every risk can be abated, it is up to the CISO to make the best case for what needs to be done.
Finding the best ways to communicate clearly to the leadership can go a long way in making the organization better prepared to handle threats, no matter where they originate from.
Recent Articles By Author