After a breach, CISOs fall on their swords or play the role of scapegoat

Editor's note: The following article is from CIO Dive's archives. It was originally published in March 2019.

The aftermath of a data breach makes those with "security" in their title the most convenient scapegoat.

Securing an organization against cyberthreats is not a one-person job, especially when distributed security is gaining traction and the underlying circumstances of a breach don't necessarily mean the CISO alone is to blame.

Chief information security officers are tempting sacrifices in the event of a data breach. However, "in the midst of chaos, you need somebody and typically you want your CISO," said said Chris Nims, CISO of Verizon Media, in an interview with CIO Dive.

Still, there's no surprise that a C-suite overhaul is common after a massive data breach, think Equifax, Uber, and Yahoo. But in the grand scheme, less than 1% of CISOs are actually fired, though 12% believe they would be dismissed because of a breach, according to a 2015 IDC report.

Consequently, CISOs feel more compelled to fall on their sword after a breach.

"Where I've personally seen CISOs move out post-incident, it's typically because of the individual," said Nims. "You may not know, until there's a significant security incident, whether or not the leader is going to be successful if he or she has never navigated that kind of storm before."

Sometimes it's easier for companies to let go of security professionals to make a show of accountability to the public, customers or clients. The scapegoat title isn't always fit for a CISO when the extent of the breach, the exploited vulnerability and the aftermath are taken into consideration.

What's in a name?

The attractiveness of the CISO title or a security title that's proceeded by "chief" can have less to do with responsibility and more to do with vanity.

"We like to be nice to each other and make each other feel good to have someone with an actual title of CISO," Pete Lindstrom, VP of research, Enterprise/NextGen Security at IDC, told CIO Dive.

Not having the CISO title for a role with similar responsibilities is not really a unique concept, according to Lindstrom. "These titles come and go," he said, and there is a "mixed bag of industry and personality" that pull the strings between CISO, CSO, CIO or chief risk officer.

The CISO title is popping up partially because of what it signals to the public, potential hires, partners and insurers. Companies are weaving security into contracts and interactions.

Target hired Brad Maiorino as the first CISO in company history in 2014 after its 2013 data breach. Maiorino reported to then-CIO Bob DeRodes, who was also brought on after CIO Beth Jacob's resignation in March 2014. Shortly after, the chief executive of Target, Gregg W. Steinhafel, resigned in May 2014.

As data has always been touted as an intangible yet invaluable company asset, its protection is just as important. Companies without a formal head of security can be scrutinized for a lacking formal approach to cybersecurity.

"I'm sure there are companies with someone without a particular title [who] may feel they aren't as effective as they could be," said Nims. However, "I dont think there's a silver bullet answer to that, I really think it boils down to a particular company's culture."

A seat at the table

A security leader with the chief label likely entitles the individual to more compensation, the assumption of security ownership and greater access to the CEO, most importantly.

If a security leader is "buried" and "a couple layers down," a company isn't "putting the right level of focus on security as [it] should be," said Taryn Aguas, leader of the CISO transformation labs program for Deloitte Cyber Risk Services, in an interview with CIO Dive. The CISO title "is certainly appealing for talent" but is second to the role itself and its level of authority.

Regardless of titles, security leaders need to effectively communicate strategy and priorities across nontechnical leadership.

"I enjoy working with leaders who understand that even though my security priorities might create tension with their innovation or revenue generation priorities, my work is also important, we are all in this together, and we will through creative tension together steer the company in the right direction," Joe Sullivan, CSO of Cloudflare, and former CSO of Uber and Facebook, told CIO Dive in an email.

CISOs have to be able to provide the nontechnical C-suite members the context of security and where the CISO role ideally fits.

"I suspect I was not the best partner myself when I first stepped into leadership, because it took me time to shift my perspective from being a leader of a team to being a leader of the company," said Sullivan.

Joe Sullivan

CSO, Cloudflare

The rideshare company's former CEO Travis Kalanick accumulated a trail of scandals before his exit in June 2017 and Sullivan followed in November of the same year following the disclosure of a data breach impacting 57 million users. Uber's security leadership used funds related to its bug bounty program to pay the intruders $100,000 to delete the data.

Having a direct line of access to the CEO takes the guesswork out of security in terms of business strategy. Without a seat at the table, Sullivan said he had to "dig to figure out which risk areas could be addressed quickly and which needed to be worked through collaboratively."

This is a slow evolution for companies that are used to viewing their security organizations as a cost center and compliance function.

The aftermath of a data breach tests a C-suite's ability to handle what this means for reputation and recovery. "I would say modern companies look at security leaders, the CISO role, as a significant asset and as a leader that's actually going to help you navigate that storm," said Nims.

For Nims, the brand portfolio that sits under the Verizon Media umbrella attracts a multitude of potential adversaries. When he came in as CISO and inherited the breached legacy Yahoo now carries, Nims had to create a cohesive security strategy.

Nims didn't treat it any differently from other M&A activity. "It was definitely not a transition that was focused on 'here's this big thing that happened and everything is focused on that,' " said Nims. "Certainly, absolutely appropriate attention, given to various items that resulted from [the breach]."

Input from historical cyber events of course shaped the agenda for what Nims needed to do from a program perspective and what needs to be built.

Who owns responsibility

There is complexity involved in cybersecurity, though the public routinely assumes a breach was the result of negligence.

There "really [needs to be] a better way to assess negligence because there's no legitimate security professional out there that will say you can be 100% secure," Lindstrom.

Breaches often occur as a result of something outside the direct control of a CISO. Updating systems or administering software patches, for example, is a responsibility of IT operations whereas the CISO is in charge of prioritizing patches.

"I would say modern companies look at security leaders, the CISO role, as a significant asset and as a leader that's actually going to help you navigate that storm."

Chris Nims

CISO, Verizon Media

Actual security patching is not done by the security team, said Todd Inskeep, principal and director at Booz Allen Hamilton, in an interview with CIO Dive.

This is one of the places the intersection of a CIO and CISO is vital for companywide security. Former Equifax CIO Graeme Payne testified to Congress that the credit firm's aggressive growth strategy contributed to a foggy representation of its IT systems.

The U.S. House of Representatives Committee on Oversight and Government Reform concluded that Equifax's breach was avoidable if patches were implemented accordingly.

Payne testified the company still relied on an internet-facing Automated Consumer Interview System environment from the 1970s to 2017 and feared a retiring workforce would edge out those with knowledge of operating legacy systems.

Former CEO Richard Smith's aggressive acquisition activity contributed to the Equifax IT organization's inability to keep a reliable inventory of what software resided on the legacy systems, according to Payne. Smith's market growth strategy added to the firm's complex layers of applications, databases, middleware and operating system.

Equifax's breach was caused by its technical, and therefore security, strategy taking a backseat to its general business strategy. The breach was a result of "human error and technology failures," said Smith, during his Congressional hearing. The mistakes were "made in the same chain of security systems designed with redundancies."

Without a reliable inventory of system identification, which is a part of the NIST cybersecurity framework, Equifax's former CSO, Susan Mauldin, CIO and CEO were doomed.

Even without a living inventory, "a good CISO and IT team can create architectures to protect legacy systems, network segregation and network mechanisms to isolate" and defend the company, said Inskeep. A reliable architecture would allow a CISO to effectively manage updating, patching and other vulnerability management activities.

In February 2018, Equifax named Jamil Farshchi its CISO after he cleaned up Home Depot's data breach as CISO.

In 2014, Home Depot had a data breach of more than 50 million customers. The breach ultimately cost the do-it-yourself retailer a minimum of $19.5 million to settle customer lawsuits.

In between the time of the breach and the settlement, Home Depot hired its first CISO, Farshchi. Before introducing the CISO title, Daniel Grider, VP of information technology at Home Depot, oversaw security. Grider is still with the home improvement retailer.

As time progresses, the question may become less around what the lead security role is, especially when Silicon Valley is dabbling in distributed responsibilities. Instead, companies should ask what are the functional requirements for a world class security program and how it will be reinforced across company lines, according to Lindstrom.