The CEO Is Next

COMMENTARY

One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won't be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.

When a company gets hacked, the real costs often land on consumers. The company's stock price typically rebounds quickly, but end users are left with their identities stolen, accounts locked, money lost, or children exposed to harm.

The consumers who are harmed from breaches rightfully expect our governments to protect us. The contract between people and their governments is simple: We contribute some of our wealth and you keep us safe. That model has worked pretty well for centuries.

But things have gotten a lot more complicated in the Internet age. Our digital fingerprints are held in the hands of private companies. In the name of personal privacy, we don't want our governments to have that level of access to and control of that information. So, the government can't solely protect us, and companies aren't properly incented to do it either. It's a unique catch-22: No single entity has the power to protect us on the Internet.

Something must give, which is why we're experiencing a movement toward regulation by enforcement. The trend has been developing over the past decade, since the Obama administration developed a policy instructing prosecutors to expand enforcement actions against "responsible corporate officers,” on the theory that the best way to encourage better corporate behavior is to bring actions directly against executives.

The Biden administration has now taken that approach to cyberspace. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. Realizing it cannot stop cyber harm by asking for voluntary cooperation from companies, it is also using the enforcement tools it believes it has under existing law to force changes in behaviors. A current example is the Securities and Exchange Commission's (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was sued personally.

Why the CEO Is Next

Inside every major company is a security team full of smart, technically savvy professionals dedicated to fighting criminals and despotic governments to protect their customers. Most are understaffed and push hard for more investments to make their jobs easier. Leading those teams are senior security practitioners, many of whom are not given the title of chief information security officer (CISO). And recently, our government has turned its enforcement eye toward those team leaders.

As the government digs into these types of cases more deeply, it's inevitable it will conclude it was a mistake to target the greatest champion for the public inside a company. The current focus on security leaders is flawed because it assumes that rather than delivering security at the highest standards, these leaders have instead chosen to mislead. In response, nearly every CISO I talk to is worried about being held personally accountable for a lack of corporate investment. Some great CISOs are now stepping out of the role because their desire to help others is losing out to their desire for self-preservation.

With very few exceptions, the CISO or senior-most security leader is simply not the "responsible corporate officer.” It's the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.

The government's attention has already started to shift toward the CEO. At the final hearing in the case in which I was charged with covering up a security incident at Uber, the judge made it a point to challenge the Department of Justice and ask why the CEO was not brought to court. The Federal Trade Commission (FTC) reached the same conclusion and entered into a settlement with the CEO of Drizly for failing to invest adequately in security. The Cybersecurity and Infrastructure Security Agency (CISA) now asks that CEOs, not CISOs, sign its pledge to use secure by design principles when selling software when selling software. And the SEC will see it when it peels back the layers and reviews what happened during budget time at SolarWinds. It will realize it is not enough to look at how a security team responded to an incident or tried to prevent it. To assign culpability, it must look at how the company allocated resources from the top down. Sen. Ron Wyden (D-Ore.), in his recent letter to the FTC and SEC, also asked them to focus on the CEO level when investigating the United Health Group over the Change Healthcare ransomware case.

Security leaders are starting to ask more forcefully for resources. When they fail to receive them, they are documenting those budget decisions clearly. They are also pushing forward policies that bring CEOs and other executives more directly into cyber-incident response processes and deploying new products like those from BreachRx (full disclosure: I've recently joined the company as a senior advisor) that document how security incidents are handled in a cross-functional manner. All these steps will make it easier to show that the security leader wasn't standing alone or, in many cases, even involved in the decisions that led to consumers getting hurt.

Ultimately, the only way the CEO avoids being the target of government enforcement actions is if he or she takes a personal interest in ensuring that the corporation invests properly in cybersecurity.