Cyber-Risk Is Getting Personal

By Michael Clark, Marketing Content Writer, ExtraHop

The world of cybersecurity looks very different in 2024. The October 2023 indictment of SolarWinds chief information security officer (CISO) Timothy G. Brown for fraud and internal control failures sent a clear message to leaders in the security space: A new precedent has been set. Cyber-risk is no longer just business risk; it's also personal risk.

Brown's case may be the most recent example of criminal charges brought against a CISO related to a data breach, but it's not the first. Almost exactly one year prior, former Uber CSO Joe Sullivan was found guilty of obstructing a Federal Trade Commission (FTC) investigation into a data breach. And with the new Securities and Exchange Commission (SEC) requirements that took effect in December 2023, this likely won't be the last time we see similar charges against cybersecurity leaders.

Four Strategies to Protect Yourself Against Cyber-Risk

With all this noise in the news, the true cost of a data breach has never been higher. It's not just about lost data; it's about lost revenue, lost trust, plummeting stocks, and sometimes criminal charges. So, how can you protect your organization and yourself? Here are four ways.

Get Documentation

Clearly documenting your organization's cyber-risk governance policies is critical for CISOs. These policies should outline the organization's processes for identifying cyber-risks, quantifying their business impact, and determining which ones to accept. Organizations must also document their governance processes for conducting incident response and notifying regulators of incidents. This documentation needs to be crystal clear about how the organization's cyber-risk identification and evaluation processes works and who the accountable business leaders are — in other words, who is and isn't responsible for identifying security risks and for approving risk acceptances.

Get Involved in the Process

The precedent set by the SolarWinds indictment means CISOs of publicly traded companies can be held criminally liable for perceived misstatements or perceived misrepresentations in filings, regardless of whether they had any involvement in drafting them. These filings are only projected to grow in quantity, based on the SEC's new requirement "to disclose material cybersecurity incidents" that SEC registrants experience and "to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance." This makes getting involved in the process of drafting both cyber-related regulatory disclosures and public comments made by the CEO or other company officers more important than ever.

Get Insured

Defending yourself against an indictment could easily cost multiple millions of dollars, even if you aren't found guilty, so it's a good idea to look into insurance coverage. If you're not already covered by your organization's directors and officers (D&O) insurance, it's time to have that conversation with your management and human resources. It's also important to make sure you understand the limits of what your organization's policy will cover and, if necessary, consider personal liability insurance to supplement your D&O coverage. Another important consideration is whether your organization's policy allows you to retain your own independent counsel. This can be an important failsafe if you find yourself in the unfortunate situation where the lawyers hired by your organization don't have your best interests in mind.

Prevent the Breach

Of course, your best defense against the personal risk associated with a data breach is preventing it from happening in the first place. With today's attackers becoming more advanced, identifying and preventing breaches requires complete visibility across your entire enterprise. Perimeter controls like intrusion detection provide protection and visibility north-south, but enterprises without east-west visibility are left blind to insiders, rogues, and low-and-slow attacks. Sophisticated attackers can hide from many detection tools, but they can't hide from the network. That's why network detection and response tools are table stakes in the fight against ransomware, nation-state attacks, and data theft.

Minimizing Risk in an Imperfect World

Although the goal is always to mitigate business risk and stop breaches before they make an impact, we don't live in a perfect world. Even when risks and vulnerabilities are raised to executive teams and boards of directors, and even when every measure is taken to mitigate those risks and address those vulnerabilities, there are a wide variety of reasons it's not always possible to eliminate risk. Organizations face not only budget and staffing limitations but also the fact that they're often targeted by highly sophisticated nation-state actors. The strategies above can help you be prepared in the event of a data breach and minimize your personal risk in the process.

About the Author

Michael Clark is a marketing content writer at ExtraHop. He previously worked for Optiv Security, where he developed a wide range of assets on ransomware, operational technology, threat intelligence, and more during his nearly four-year tenure with the reseller. Outside of work, Michael enjoys bouldering and writing sci-fi short stories.