CISOs have a lot on their plates. In addition to overseeing security operations and projects, they also lead and advise their organizations regarding risk. In short, a CISO must grapple with numerous obligations of varying size and complexity.
The obvious obligations, such as compliance with regulations and laws, can take up a significant part of a CISO’s energy. There are also the clear-cut obligations found in contracts, service level agreements, and privacy notifications. And, if the CISO works at an organization that develops products or services, then there are often direct liability obligations around performance and execution.
Compliance obligations don’t disappear either, they just keep accumulating.
- The New York State Department of Financial Services is adding 14 pages of new cyber security requirements for New York-based financial institutions.1
- Recently the PCI Security Standards Council (PCI SSC) revised their self-reporting rules to help clarify requirements on their nine different compliance questionnaires.2
- Later this year, the venerable SSAE 16 audit will become the SSAE 18 adding new requirements for risk assessments and scrutiny of third parties.3
- Let's not forget the European Union's latest iteration regarding privacy and data retention between US organizations and the EU called Privacy Shield (formerly Safe Harbor).4
CISOs also have indirect obligations that are not always clear but nonetheless must be uncovered and met. These include meeting the general market expectations for organizational security, often based on a general standard of what is considered reasonable. They also have obligations regarding “vicarious liability,” which refers to the organization’s responsibility for the actions or omissions of its employees. If an employee goes rogue and uses his or her work computer to hack someone else, the CISO will, at the very least, have an obligation to aid law enforcement in the investigation. Varying legal obligations also abound around record retention, eDiscovery, and the mountains of data heaped throughout an organization.
Sometimes in the tech world, new or random obligations can swerve into a CISOs path out of nowhere. Consider the case of Reynaldo Gonzalez, father of a victim of the Paris terror attacks, who is suing5 major social network service providers for providing “material support” to terrorists related to the attacks. If this lawsuit is successful (although that is unlikely), it could mean new obligations for system owners to monitor and control customers (which is why it is likely to fail). Problems like this will continue to surface as society tries to apply physical world paradigms (in this case, tenant ownership obligations) over digital realms.
Beyond these, CISOs also have ethical obligations. A good source can be found in the (ISC)2 Code of Ethics6 which requires (ISC)2-certified professionals to “protect society, the common good, necessary public trust and confidence, and the infrastructure.” This can get tricky when a CISO who advises regarding the flow of information confronts issues around privacy or disclosure.
All of these obligations churn and compete in the day-to-day affairs of a CISO. Consider the simple requirement under most breach disclosure laws to notify victims within a fixed time period. It seems straightforward to outsiders: notify victims if their data has been exposed. The reality is that it can takes weeks if not months to determine exactly what happened in a breach situation. Given the ephemeral nature of digital evidence, coupled with the fact that cyber crooks have actively tried to cover up their tracks, it’s difficult to know the whole story. But over-notification because you don’t know the whole story could mean unnecessary class-action law suits and bad press. In such a dilemma, it’s difficult to know the right thing to do. Whatever choice you make, it’s going to be painful.
Like most things information security, you can turn to risk as your first, best tool. If things spiral out of control into the worst-case situation, everyone will be looking at your actions. Did you do what was reasonable? Do your actions look good on the six o’clock news? As a CISO, you are in the best position to realize what is at stake with your understanding of technology, security, law, and the business needs.
Your final tool is to be boldly transparent and assertive in your responses to your obligations.
Clearly and consistently describe what you are doing and what you will not be doing in policies, notices, obligations, and internal emails. You should never be passive about claiming your obligations. Keep your stakeholders in the loop and tell them ahead of time of the responsibilities you are accepting. This transparency will attest to your integrity and reasonable due care if things go badly.
In the end, CISOs have many painful, sometimes contradictory obligations. Your choices can be narrowed to only concerning yourself with what is truly at stake and then being open about what you will and will not do. In the end, we all try to do more good than bad.