“We spend every day, every waking hour trying to defend a business and the infrastructure and do the right thing for their risk tolerance, and we forget to think about implications of our own.”
Speaking this week at the RSA Conference, Lisa Monaco, U.S. deputy attorney general, said Sullivan’s acts were “very, very different from a mistake made by a CISO or compliance officer in the heat of a very stressful time.”
“This was intentional activity, misleading the FTC and other intentional conduct found by the jury, [that was] very very different, and nothing to do with, the well-meaning and stressful work that CISOs and compliance officers have to deal with in the heat of the worst days of their lives, if they’re undergoing a breach,” said Monaco.
Still, Kirsten Davies, CISO at Unilever, said the incident brings a “whole new focus of lens” around the responsibilities that CISOs take on, whether it’s dealing with a security breach or with evolving regulatory compliance like the White House’s Cyber Incident Critical Infrastructure Act of 2022, which enacts 72-hour data breach reporting requirements.
“It’s a shifting landscape; I think that’s the biggest thing that jumps out at me,” said Davies. “For those of us that are involved in multi-nationals, perhaps multi-regional categories of conducting cybersecurity, we already know the fog of war is difficult when you’re in the middle of an incident, and you’ve got data coming at you from all places… Now we have a shifting landscape of regulatory requirements with regards to if you’re in India, in GDPR, Europe territory, in the U.S. with the SEC rules coming out. It’s just this constant shifting sand that we’re trying to balance ourselves and our teams on and the incident response on.”
While CISOs are on the frontlines of security incidents, a large part of their job is also dependent on the level of support they get from their company, in the form of budget, resources and overall culture. Marie Zettlemoyer said that she’s starting to see CISOs make conscious choices to move to organizations that take security more seriously.
“Now it’s a different context, and [CISOs] are having conversations on ‘you’re asking me to really foot the bill here on risk, not just professionally, but personally,’ and that opens up a greater discussion, I think, with the board and the rest of the C-Suite that can move things forward,” she said.
“I’ve seen – and I think this is a good thing – good folks walk away from companies or situations that are not properly investing in security because they’re thinking to themselves, ‘am I going to put myself in the situation where I cannot do my job with proper diligence, with the proper resources, and what is that going to mean for me? What risk am I taking on?’”