CISOs

The long anticipated Securities and Exchange Commission rule on cyber incident reporting took effect in September, creating significant changes at the C-suite and board level. 

The rules will reframe the role and responsibility of the CISO, who will likely face the task of not only responding to a material incident, but also reporting that incident up the command chain and making an official regulatory disclosure.

The personal and professional stakes for CISOs have never been greater. Over the past year, the former CSO at Uber was convicted in federal court for helping to cover up a ransomware attack amid a previously launched data security probe by the Federal Trade Commission. In June the CFO and CISO at SolarWinds were notified by the SEC that they were under civil investigation for their role in the Sunburst malware attack. 

“The CISO role has never been easy, and it looks a lot less appealing when you add liability and criminal responsibility to the pressure, the on-call hours and the stress,” Ryan Witt, VP of industry solutions at Proofpoint, said via email. 

Proofpoint released its annual Voice of the CISO report in May, which indicated 62% of CISOs were already concerned about potential liability in connection with incident response and corporate governance issues. 

Given the responsibilities they will face under the new SEC rules, the level of anxiety among CISOs is on the rise.

"The SEC ruling and its disclosure requirements continue to place a lot of pressure and responsibility on the CISO,” Jon France, CISO at (ISC)2, said via email. “CISOs are navigating this challenge individually, with their accountability and job difficulty increasing simultaneously.”

The new regulations require publicly traded companies in the U.S., and foreign companies that trade in the U.S., to disclose cybersecurity incidents within four business days of determining the incident is considered material to the company’s financial performance. 

Therefore a CISO might be expected to work with various stakeholders, including finance, legal, human resources and bring in a cyber forensics expert and legal counsel, to determine the scope of an attack and make a collective determination as to the cost and scope of the event. 

Jeff DiMuro, deputy CISO at IT firm ServiceNow, said he doesn’t expect the new SEC rule to force any major changes in how the company manages cyber risk. 

“The SEC rule we think just memorialized a demarcation of the four-day reporting rule, but these are things we have to do anyway as CISOs for a publicly traded company,” DiMuro said in an interview. 

The company has an ethical steering committee that includes multiple executives, including the general counsel, CFO, CTO, his direct supervisor the CISO, and other key executives. 

The committee meets bi-weekly and on an ad hoc basis, in the case of a cyber incident, to discuss how they will manage the response. The company also offers a bug bounty public responsible disclosure program using the HackerOne platform. 

Corporate officers can be held personally liable by various regulatory agencies for how they respond to data security issues, including lawsuits from investors and class-action litigation from consumers. 

In 2022, following the leak of 2.5 million consumer records, the FTC ordered Drizly CEO James Cory Rellasto implement a data security program at the online liquor marketplace and any new business he joins in the future.

One effect of the new ruling has been a push by CISOs and other risk executives to obtain additional liability protection as part of their jobs. C-suite executives and board members are typically covered from liability by directors and officers insurance. 

Executives at professional services firm Aon say they are getting additional requests about whether CISOs are included in coverage or can be added to existing policies. 

“The rails around that are typically the bylaws of the company, whether somebody is an officer of the company, and I think for the most part CISOs do qualify in that regard,” said Uri Dallal, managing director and U.S. regional leader at Aon. 

“That said, when you get to situations like this where the role is attracting litigation in the way that it’s typically reserved for the CFO and CEO, it’s not uncommon for people to question whether they are covered under the policies, and seek affirmative coverage,” Dallal said.

Lexmark CISO Bryan Willett said even though the SEC rule applies to publicly traded companies, the rule also will impact closely-held businesses. For example, if a company has a third-party relationship with a publicly traded company, any type of data breach or attack may require changes in the ability to respond. 

“A public company’s third party risk management program may require contractually very short notification,” Williett said via email. “Regardless of whether the partner company is private, they still need to meet the requirement indirectly.

It pays to be a CISO. More than half of these cybersecurity leaders earn up to $400,000, according to survey results released by IANS and Artico Search. The annual compensation for the top 10% surpasses $1 million per year, the 2023 CISO Compensation Benchmark Study found.

CISO salary increases are slowing down, with average total compensation for CISOs up 11% this year, but down from a 14% average increase in 2022. The share of CISOs earning compensation increases this year was also down; just 80% of CISO saw base salary increases, down from 90% last year.

The lower pace of compensation increases for CISOs is purely an economic reality, according to Nick Kakolowski, research director at IANS.

Security budget growth scaled back this year amidst economic uncertainty, inflation and increased borrowing costs, which impacted funding for cyber talent, the report said.

In the U.S. the average total compensation for CISOs reached $550,000 this year, according to the survey of 609 security professionals in the U.S. and Canada. Nearly two-thirds of the survey respondents work for organizations in the finance, healthcare and technology sectors and nearly half work at companies with less than $1 billion in annual revenue.

With cyber threat recognition on the rise and budgets squeezed, organizations are largely asking for more from CISOs, Kakolowski said via email.

The CISO role is going through a transition similar to what CFOs went through with compliance to the Sarbanes-Oxley Act and what CIOs encountered during digital transformation efforts, Kakolowski said.

This might elevate CISOs’ roles within their organizations, but rarely to the highest corporate level. Only 1 in 5 CISOs are considered a C-level executive at their organization, according to the report.

“Cybersecurity is a critical part of doing business and, as more organizations recognize that, CISOs are being elevated — in terms of compensation and influence — to a similar level as other specialists in the C-suite,” Kakolowski said.

Despite these changes, CISOs remain consistent in their hunt for new career opportunities. Those considering a job change in the next 12 months jumped from two-thirds of CISOs surveyed in 2022 to three-quarters of CISOs surveyed this year.

Top-performing CISOs regularly practice five key behaviors that level up these leaders from less-effective executives, according to Gartner.

The majority of top-performing CISOs consistently initiate discussions on evolving norms to stay ahead of threats and commit time to personal professional development, according to Gartner’s survey of 277 CISOs between 2020 and 2023.

The most effective CISOs also differentiate themselves by defining risk with input from senior business leaders, building relationships with decision makers outside of designated projects and proactively engaging with emerging technologies, the survey found.

The research firm concluded these five behaviors are at least 1.5 times as prevalent among top performers compared to their less-successful counterparts.

“No organization can be fully protected against every cyber threat,” Chiara Girardi, senior principal on the cybersecurity research team at Gartner, said in a statement.

Gartner relied on four critical outcomes to measure CISO success, including functional leadership, information security service delivery, enterprise responsiveness and scaled governance.

“The most effective CISOs stay apprised of existing and emerging risks so they can provide leadership with context around the most significant threats facing the business, to influence investments and risk decisions accordingly,” Girardi said.

The odds of a CISO encountering a major cyberattack are about as high as it can get with 9 in 10 CISOs reporting at least one disruptive attack during the last year, according to Splunk research. 

Almost half of the 350 security executives surveyed said their organizations were hit by multiple disruptive cyberattacks during the last year.

Ransomware accounts for many of these attacks. Almost every survey respondent, 96%, reported a ransomware attack and more than half experienced a ransomware attack that significantly impacted business operations and systems, the report found.

The number of ransomware attacks confronted by organizations has a direct correlation with the frequency with which ransoms are paid. More than 4 in 5 CISOs surveyed said their organization paid the ransom.

At that level of ransom payment activity, CISOs have to operate under the assumption that ransom payments are effectively part of the job.

“CISOs have a duty to anticipate ransoms and also implement them in their budgeting for cyber insurance,” Ryan Kovar, leader of Surge, Splunk’s blue team security research team, said via email.

“Minimally, they need to have a plan before they get ransomed that places them in a position of strong resilience,” Kovar said.

Ransoms payments are part of the job

This high rate of ransom payments, which can fuel cybercriminal activities, underscores why the U.S. government and some of its allies floated a potential ban on ransom payments earlier this year.

“Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said at a May event hosted by the Institute for Security and Technology.

A ban against ransom payments would represent a major shift in strategy, opening up a new and complicated measure to counter financially motivated threat actors.

The Biden administration, as recently as September 2022, decided against an outright ban on ransom payments. Instead, cyber authorities strongly encourage organizations not to pay.

The financial implications of ransom payments vary widely, according to Splunk’s report. Most organizations paid ransoms under $250,000, but nearly 1 in 10 paid ransoms over $1 million.

“That’s a lucrative business for ransomware gangs — and many desperate organizations gamble with their reputations in the hope of decrypting their data, recovering their systems and preventing the release of sensitive material,” Splunk researchers said in the report.

Technology like generative AI can address some key security challenges confronting organizations, but professionals that overemphasize those capabilities miss the fundamental need to put people and their unique talents first.

“Security is a people issue,” Amazon CSO Stephen Schmidt said during a presentation at AWS re:Invent in Las Vegas. “Computers don't attack each other. People are behind every single adversarial action that happens out there.”

For Schmidt, winning in security is akin to playing chess — focusing on the board, how the pieces move and interact — while practicing psychology. Security professionals need to understand the human elements at play, including their own tendencies and opponents’ motivations.

“You’re not playing just one chess match,” Schmidt said. “You are playing dozens or hundreds of games at the same time, because you have a variety of adversaries with different motivations who are going after you.”

This cybersecurity scrum can feel overwhelming, but many defenders view generative AI as an ally that can automate repetitive tasks. Cybersecurity vendors across the landscape have released security tools infused with the technology and more are in the pipeline.

Generative AI could also ease a persistent and critical skills shortage in cybersecurity.

Tools like generative AI that can automate and scale the work that takes tension away from complex decisions and nuanced focus are critical, according to Schmidt. “My goal, by the way, is to have people focused on the most ambiguous, dynamic problems, which can’t be solved by software.”

How Amazon weighs AI benefits, risks

AI is “already radically changing our business,” but like any tool, it has its limits, Schmidt said.

Amazon has grappled with the benefits and risks that AI can deliver as organizations apply it to bolster security controls. When the company identifies an area where AI can help it achieve a particular goal, it ponders three questions which help shape security needs with business operations.

Where is the data? 

Understanding how data is handled for LLM training is critical to data security, particularly as it relates to how generative AI models access and potentially expose corporate information. 

Organizations should encrypt that data in transit and at rest, and validate the permissions used to access that data are scoped to the least permissive possible, Schmidt said.

What happens with generative AI queries and any associated data? 

Files or information submitted as part of a generative AI query can lead to better predictions and results, but organizations need assurances that services handling that corporated data will keep it protected, Schmidt said.

The iterative back and forth in AI chatbot queries should be viewed as a potential risk that could jeopardize the organization’s ability to meet regulatory and compliance requirements.

Is the output of the generative AI models accurate enough?

The quality of results from generative AI models are steadily improving, but an overreliance on these outputs without human oversight can expose organizations to challenges that might negate the benefits.

Organizations that are using LLMs to generate custom code, for example, need to validate it’s well written and follows best practices before deploying the code to production, Schmidt said.

These questions guide how Amazon’s security teams think about generative AI and LLM services for internal Amazon use, Schmidt said.

“You the customer should have control of your data and be able to use the model of your choice in a safe and secure manner,” Schmidt said. “When it comes to AI, our guiding tenant is simple: Your data is just that, yours.”

Today, chief security officers and chief information security officers are seen as largely interchangeable titles, but the demarcation of “information” in the title matters. Both roles are tasked with ensuring the security of an organization and protecting its assets, but the two titles can mean very different things.

Longtime CISO Steve Katz is credited with pioneering the role after Citicorp suffered a cyberattack in the mid-1990s. In an effort to guard against future attacks, the company created the CISO role so there was an executive to take charge of protecting the organization’s digital assets, a history SecurityWeek documented in a 2021 interview with Katz.

However, long before computers and digital information, companies needed to protect their physical property. Although it is unclear when the term CSO originated, there was someone who was in that role, whether they had an actual title or not.

While the CISO is primarily focused on securing an organization's information systems and data, the CSO's role encompasses all aspects of security, including physical security and information security, as well as human safety.

“As more things moved to computers and the digital world increased in value and importance, the CISO role emerged to take care of and protect the digital infrastructure started in the 2000s,” said Frank Huerta, CEO with Curtail. 

In its earliest days, the CISO role may have been under the CSO’s domain, but eventually the CISO reported directly to the CIO, while the CSO may report to the CFO or COO. 

“The CSO and CISO roles may be independent of each other now — physical and digital — but as the physical and digital worlds converge, these roles tend to overlap and complement each other,” said Huerta.

Within security, that world is colliding. In the not-so-distant past, the person in charge of physical security monitored keys to the building and supervised the security guards. Now key access is electronic and security systems are IoT devices.

For the CSO, physical security has gone digital. 

Recognizing the differences

The clear differentiation between a CISO and a CSO promotes accountability and clarifies responsibilities, reducing confusion and improving decision-making during security incidents or breaches, according to Amit Pawar, VP of consulting and services at Xage Security. And they may often work in tandem. 

“The CISO may lead the response to an information security incident, while the CSO may coordinate the overall response, including physical security and crisis management,” said Pawar. 

This distinction ensures that all aspects of the security incident are addressed and that there is clear accountability.

The CISO has taken on more prominence for sure, but the physical and the digital world go hand in hand. There is a big picture focus on the roles the CISO and CSO now have within business operations. 

“Is security only an after-the-fact process to respond to breaches and break-ins both physical and logical, or is there a process to help make sure the applications are as bug free to prevent vulnerabilities from proliferating from bad code that hackers can exploit,” said Huerta.

The organizational structure of the company will help define the roles of each role.

The evolution of security leadership

Rather than focus on the differences, Mauricio Pegoraro, CISO at Azion, believes it is more important to define the roles and responsibilities if both executives are needed, and both should respond to the board or CEO. 

“With the constant evolution of the digital world and more threats emerging, the more security leadership needs to evolve and specialize,” said Pegoraro. 

A few years ago, the organizational tree of a CISO hierarchy had very few levels. Today we see many levels and many leadership types that will continue evolving and changing. 

“In a few years from now, the CISO role will expand and become what was a CSO role and, in some cases, even a CIO role since many aspects of information technology and IT systems are now determined by the security requirements and processes around them,” said Pegoraro.

CSO or CISO?

Because the roles overlap so much today, is there a need to have both a CSO and CISO, or can one person handle both the physical and digital security? 

“Larger enterprises with ample physical and digital assets tend to have both a CISO and CSO,” said Tim Chase, global field CISO at Lacework.

But in smaller companies, the role is more likely to be combined, and in some cases even adding in the role of the CIO. The need for security built into code and platforms is more vital than ever, so the CIO may find themselves shifting more into a CISO-type role. 

The CSO and the CISO are finding their roles expanding and redefined as both security and threats evolve. 

The cyberattack on Estes Express Lines taught the company a valuable lesson that bucked typical advice from attorneys and tech advisers in such scenarios: Publicize what’s happening as much as possible.

Disclosing the attack on Oct. 3 and providing regular video updates engendered sympathy, honesty and offers of assistance from customers and colleagues, President and COO Webb Estes and CIO Todd Florence said in another video shared in response to media questions.

“Once we were honest with them, they were honest with us,” Estes said. “It feels really good when a customer’s like, ‘Hey, this happened to me, too. How can I help you?’”

After discovering what Florence called “outside actor activity” on its network on Oct. 1, the privately-owned, Richmond, Virginia-based company shut down systems and issued a “tech outage” alert but mostly kept quiet publicly.

But in a meeting about 48 hours into the response, frustrated Estes leaders decided that strategy didn’t serve its customers or employees — or fit its company values, which include honesty.

“Now, are there things we couldn’t say? Sure,” Webb Estes said. “But as soon as we were getting to a point where we knew things, we were going to tell our customers that. I would recommend and encourage any company that goes through this: They need to follow their culture, and I would hope their culture would be one of honesty.”

It didn’t only a have feel-good effect, either. Publicly acknowledging the cyberattack accelerated the company’s response by opening the lines of communication, the president and COO said.

“Once you can speak honestly, it’s amazing how much [faster] things can go,” he said. “You’re not trying to play two sides. Everyone’s on the same team: ‘How are we going to get through this together?’”

Such openness pays dividends among a company’s workforce during a tense time, Florence said.

“It changed the attitude in the room,” the CIO said. “Even if it feels inappropriate at times when you're dealing with a crisis like this, the ability to joke, and laugh, and work together helped accelerate our timelines quite a bit, because we could be open with each other.”

While Estes declined to share details on the financial impact of customers’ freight diversions, the company president said the carrier’s systems are fully restored and nearly all the business has returned.

There are thousands of cybersecurity vendors and providers vying for your business. But, because every organization’s security needs are unique to their business operations, there is no one-size-fits-all provider out there. 

Yet, big-name security vendors are building tool hubs, where customers can acquire end-to-end cyber solutions. 

Google Cloud acquired Mandiant last year, in a deal that leveled up its incident response offerings. Now, building on the integration, the firms are automating threat hunting. Already heavily embedded in enterprise tech stacks, Microsoft is rapidly growing the revenue from its security business, capitalizing on existing integrations.

While it might be easier for an organization to build its core cybersecurity system from one company, that may not provide the best option.

“With cybersecurity market consolidation, it's imperative for companies to make informed decisions when choosing providers for their core cyber systems,” said Stephen Gorham, COO at OPSWAT.

Picking core security tools is a process that requires a systematic approach to ensure all products and services align closely with the organization's cybersecurity and risk mitigation strategies. 

There are some basic checklist items that will be the foundation of any security system. Corey Nachreiner, CSO at WatchGuard Technologies, says that before vendor shopping, decision makers need to consider: 

• Industry compliance helps dictate which cybersecurity controls or systems are important and necessary to the company and tends to cover baseline security controls.
• Insurers have started requiring specific cybersecurity controls to qualify for certain coverages. For instance, multifactor authentication, endpoint protection with endpoint detection and response (EPP/EDR), and vulnerability assessment solutions are all heavily required by cyber insurers. 
• ROI and ease-of-use and deployment that may include unified offerings, automation, and consolidation. 
• Formalized cybersecurity risk frameworks, like NIST, ISO, or the SANS CIS Controls help drive organizations toward the right cybersecurity controls.

The must haves

Once the foundation is in place and the decision makers understand the functions of the core system, there will be some must haves, though it's best to not go overboard. 

Compare cybersecurity tool shopping with food shopping, recommended Chris Roberts, CISO at Boom Supersonic. Never shop hungry.

“In the digital realm this means going out armed with questions, focus areas, and knowing what problem you are looking at solving,” said Roberts.

From a core tool standpoint, Roberts looks at data, users, metrics and touch points.

“What do I have, where is it, who’s using it, who should be using it, and what are they doing with it — answer those and you are part way towards dealing with the basics in information security,” said Roberts. 

Because there are so many solutions out there, it’s important to have a strategic cybersecurity management platform that sits above the security tech stack and delivers meaningful insights as to what’s working, what’s not, where visibility is strong and where visibility is lacking. 

“We need an effective platform that brings all of this together – a single place to understand the current landscape and what I need to focus on, deal with, or communicate throughout the chain of command,” said Roberts.

And yes, expect large language models to play a greater role in core security systems going forward. Integrating LLMs into core tools could help analyze large amounts of data faster. 

“Being able to query big data using natural language has been a game changer in term[s] of quickly identifying anomalies in our data sets,” said Josh Amishav-Zlatin, founder and CEO at Breachsense.

How consolidation impacts vendor selection

Market consolidation can disrupt service levels, pricing and product focus. It can also impact integration of new systems with current tools.

“When a provider is bought, normally we review our contract and try to have an open dialogue to understand their new roadmap,” said Roberts. Sticking with the provider or switching ultimately depends on how their changes align with the organization’s needs and contractual flexibility. 

Consolidation can make the process of choosing core systems easier. The biggest cybersecurity players are adding missing pieces when they are consolidating. 

“This benefits me but the caveat is that if I need something very specific, I won’t find that from the big players – I’m going to find that from a niche player,” said Roberts. 

That said, this niche player does need to integrate with consolidated, larger platforms or else, they’re not going to be a good fit, Roberts added.