Being a CISO has never been easy. Holders of the position struggle to be heard by the corner office and get enough budget to protect against cyber threats. Now the role may become even tougher in light of the U.S. Securities and Exchange Commission’s lawsuit against SolarWinds and its CISO, Timothy Brown.
MSPs and industry observers are watching the lawsuit with interest. Now that a cybersecurity professional is being targeted, they wonder how much harder it will be to fill CISO and other cybersecurity positions. The SEC filed the lawsuit in connection with the massive 2020 supply chain cyber-attack against SolarWinds, which affected several federal agencies and more than 100 private companies. SolarWinds and Brown “ignored repeated red flags about SolarWinds’ cyber risks,” the SEC says.
The suit, says Kevin Beaver, cybersecurity expert and founder of Principle Logic, may not directly impact recruitment to fill cybersecurity positions, especially for newcomers to the field. But it’s a different story for CISOs.
“I think we are going to see more and more hesitancy toward the CISO position,” he says. “It’s too bad because the CISO role is behind the eight ball in so many organizations. There’s often a general lack of political support, financial backing, and so on. Now this.”
Rebecca Herold, CEO of Privacy & Security Brainiacs, agrees. If CISOs are expected to bear the brunt of security incidents and legal noncompliance, their job inevitably becomes harder, she notes. “No one who is filling a CISO, CIO, or security leadership role should be expected to do so without full support, and without as much of the necessary budget as possible,” she says.
If corporate leadership fails to properly support those positions, they won’t attract the right talent, Herold adds. “The best candidates will not want to work for them. With the exception of folks who want to take on a huge and risky challenge, those who are willing to fill the positions will be more likely to be those who are not actually qualified.”
Cybersecurity positions are notoriously hard to fill. Cybersecurity certifications provider (ISC)2 estimates in its 2023 Cybersecurity Workforce Study that 4 million positions currently are vacant, up 13% from a year ago. Legal risks associated with cybersecurity may give jobseekers pause, says (ISC)2 CISO Jon France.
“The role of a CISO is already a tough job. With added scrutiny and layers of complexity around legal ramifications, many candidates may be more cautious of taking a job due to concerns around personal liability. In turn, it potentially causes organizations to look toward a smaller pool of qualified candidates, which, of course, increases competition,” he says.
From an organizational leadership perspective, France adds, the CISO role needs the same protections granted to other corporate officers.
Doing The Right Thing
While worried about the effect of the SolarWinds suit, industry executives interviewed by MSP Success aren’t excusing shoddy security practices. They believe organizations, and their CISOs, should do the right thing when it comes to cybersecurity.
Too many organizations, says Herold, still try to do the minimum to achieve compliance with security and privacy regulations. “Executives and business owners still ask me, ‘What few things can we do to not have to worry about compliance penalties?’ Executives and owners need to understand that they do not get to pick and choose the requirements they want to follow and disregard the rest.”
To protect their organizations — and themselves — CISOs must take the required measures to properly secure their business digital ecosystems, she says.
And be sure to document everything. “Security policies and procedures must be documented and communicated to all associated staff who need to follow them. All training activities must be documented, along with all awareness activities, such as reminders. All risk management activities and communications must be documented. All communications to executives and the board of directors must be documented,” Herold says.
The same goes for risk management activities regarding third parties such as vendors and contractors. “If it is not documented, then to regulators and auditors it did not happen.”
(ISC)2’s France agrees. “Basic cybersecurity hygiene is a must for all businesses. This includes implementing risk assessments, incident response plans, access controls, managing third-party suppliers and vendors, educating and training employees and board members on the inherent cyber risks, as well as leading the organization with transparency and trust.”
For MSPs, says Mike Semel, founder of MSP consulting firm Semel Consulting, the SolarWinds suit is a reminder that you cannot focus on revenue alone when engaging clients. “When you recommend a cybersecurity solution to a client, you should work with the client so they understand their risks of not making the purchase. If the client still declines, you should confirm the offer, their refusal, and the potential consequences in writing.”