RegFi Episode 42: Beyond the Breach: The CISO’s Role as a Strategic Risk Manager
30 min listen
RegFi co-hosts Jerry Buckley and Sherry Safchuk welcome Orrick partner Aravind Swaminathan for a conversation exploring the critical and evolving role of the Chief Information Security Officer in today’s corporate landscape. .
Aravind emphasizes the importance of organizational culture in the success of cybersecurity efforts and the need for CISOs to be not just technical experts but also strategic business leaders who bring their talents to bear in broader corporate governance and risk management settings.
Links:
-
Jerry Buckley: Hello, this is Jerry Buckley, and I am here with RegFi cohost Sherry Safchuk. Our guest today is Orrick partner, Aravind Swaminathan. In the world of data protection and cybersecurity, he is a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on both cybersecurity and other threats.
We’ve asked Aravind to join us to explore the evolving roles and responsibilities of Chief Information Security Officers, or CISOs, as they’re commonly called. CISOs are among the newest arrivals in the C-suite, but it would be hard to overemphasize the importance of the role they play in a world where technology is driving corporate advancement. Protecting the digital environment is essential to most companies’ business operations, and it is a huge responsibility. When things go wrong, the CISO is on the front line, responding to management, the board, customers, regulators, and sometimes law enforcement. Some would say the CISO’s job has become the toughest job in the C-suite, but let’s go deeper to try to understand the core functions that the CISO’s job entails.
Aravind, you work with a wide range of CISOs. Can you describe for our listeners the responsibilities of the CISO during ordinary times, putting proper safeguards in place, training, and so forth, and then describe what happens when there’s a breach with the company in crisis mode and its operations and reputation at risk?Aravind Swaminathan: Yeah. Thanks, Jerry, for having me. So, I think that CISO’s job in peacetime is as complicated, if not sometimes more complicated, than in a breach, which is essentially wartime. In the context of peacetime, as I like to describe it, you’re sometimes managing building a program to protect the corporate network. And so, you’re protecting it from all sorts of different things. You’re protecting it from malfeasance, which could be outside actors, could be inside actors — badly acting employees. But you’re also protecting the network from a variety of things that don’t necessarily come with malfeasance but just end up being configuration problems and systems — ways that individuals can get access to information or assets or data that they shouldn’t have access to — for one reason or the other.
Those can all land in the chief information security officer’s lap, regardless of whether or not it’s the classic data breach incident by a bad guy or not, and so building and managing a security program in a corporate environment is just one part of the battle.
A lot of CISOs today are charged with thinking about the security of the product or service that their organization sells. So, for example, if you build a camera that can be installed in people’s homes to take video footage, you may be responsible for product security. And if your company sells a SaaS service, you might be responsible for protecting that infrastructure. And, you may be part of the marketing sales team because one of the things that people are buying products and services based on is security. And so, you can become an evangelist for your own products and services, so in order to do that, you have to be involved in the protection of those.
So, a CISO’s job can really be very different depending on what your company is. Some companies, for example, think about product security as a separate function, and it’s not under the CISO. Okay, fine. But again, I think that just goes to — for CISOs, the job responsibility can be fairly broad or narrow, depending on how it’s defined in a company.
When you get into the situation of breach, it’s an all-hands-on-deck where you’re the — you’re master and commander.
This is real wartime. You are the captain of the ship, and you’ve got to decide where things are going. You have to decide what systems you’re going to take offline, what systems you’re going to not take offline, what you’re going to protect, how you’re going to remediate. You’re going to have to direct the team.
You’re really facilitating, in most instances, a forensic investigation, whether it’s outside third-party — an outside third-party — or internal forensic investigation. You’re oftentimes responsible for the deployment of new tools. And so, you’re really quarterbacking a — like I would — I mean — the best way to describe it, Jerry, frankly, is you’re really the general, organizing the battlefield — and a battlefield that is shifting underfoot. And you have to be able to dynamically respond to those challenges.
And what I mean by that, specifically, is a cybersecurity incident is different than a normal crisis. Like a normal crisis, like a plane crashes — it’s down on the ground, there’s emergency vehicles, there are people that are hurt, there’s fire. You can see all of that stuff, and it’s largely static. A cyber incident is completely different. A cyber incident is like a plane crashing over and over and over and over again because it’s dynamically changing, and it’s dynamically, oftentimes, changing based on what a bad guy wants it to.
And so, it’s like a plane crashes, and then it explodes, and then somebody shows up to shoot a bunch of people. It really can be that dynamic aspect of it where you have a threat actor who can still be in your systems moving away from the remediation and containment activities — pivoting, looking at other different places that they can kind of hold up and keep their foothold requires — again, the word I keep using is a dynamic response effort. So, you’re constantly thinking about where the pieces are on the battlefield and shifting those around.Jerry: It must be tough because you’re trying to deal with the logistics. At the same time, in the back of your mind is: Where is our liability going to be here, and what can we do to minimize it? I’m sure that’s something that you encounter all the time. Aravind: It’s permutational thinking. It’s — if I shut this door, all these other doors are open. What does that potentially lead to? Or if I shut these four doors, these two doors might still be open. I don’t even know what other doors are open. What are my risks that are there?
So, I think about it — you use the word liability, which I think — the word I would use is risk, and you’re really in a situation of managing a constantly evolving landscape of risk. You might shut one thing, and another thing opens. You might shut that thing, and there’re two other things — that you didn’t even know were open before — are still open. And so how you coordinate that effort to lock out a bad guy, especially like an advanced persistent threat actor — state-sponsored actors who are really good at what they do and not just in it for a smash and grab — can be really challenging.Sherry Safchuk: Thank you so much, Aravind. That’s fascinating. And thank you for joining us. I just want to focus on the CISO, specifically. We are witnessing the evolution of the CISO’s role as technology and the threat environment keeps changing. It’s regrettable, but CISOs are exposed to criticism and potential liability when their employers’ data walls are breached. Could you describe some of the liability, the — kind of the personal liability for which a CISO is exposed to if things go wrong, particularly in light of the recent actions by the DOJ and the SEC? Aravind: So, what I would say is that, more and more, we have seen CISOs, and I would just say executives in general, being held — or agencies trying to hold them — accountable for what the regulators perceive is some failure. And so, you’re asked to be, essentially — I don’t want to make this an overstatement — but you’re asked to be perfect in the fog of war, which is incredibly, incredibly difficult. You are making decisions in real-time that have real consequences, but with almost always imperfect information where hindsight 20/20 is — really can’t help you.
So, what they’re largely looking at is: Did the chief information security officer fulfill his or her responsibility on a couple of basic fronts? Were they accurate in what they responded to — what they told management of the board? Were they attentive to the security controls and the program and doing kind of the minimum things that they’re supposed to do and complying with what regulations or rules or frameworks they are supposed to comply with? Were they accurately stating to the public, and this is what happened in SolarWinds, the state of the security program? Were they managing the team? Were they, in the case of Joe Sullivan, accurately testifying or providing information to a regulatory agency in the midst of an investigation?
By the way, listen to all of those things. And a lot of it is about communication, but it’s so diverse in the ways that they’re being challenged and, oftentimes, not on the core security. I mean, if you look at what Joe Sullivan, who is our client, was accused of doing, it was really about not providing information to the FTC — the FTC in the context of an investigation. That’s the fundamental basis of those criminal charges, and that’s obviously all public. But that’s very different than, “What am I doing to protect the network?”
So what it highlights, I think, in many respects, is that the CISO’s role is no longer constrained to just doing job number one. There’s job number two, three, and four — which I would call like ancillary responsibilities and skill sets that they often haven’t built out, practiced, or well-honed, trained — that are now becoming part of the demands of their job and where they’re being the focus.
And so again, whether it’s the FTC, state AGs, financial regulators, DOJ, SEC, it’s like there are really myriad issues that they are flagging or chasing after CISOs and saying, “You should have done a better job on this.” When, oftentimes, it’s not simply about, “Did you protect the network; did you do the thing you were supposed to do?”Jerry: You know, I have to observe (and this is very basic): Your house has been burglarized, the police arrive, and they decide that they’re going to arrest you. Aravind: It is basic, but I think there is constantly in cyber generally, Jerry, this notion of revictimizing the victim, and we see that all the time. And this is a different — slightly different conversation, but it begs the question of what’s really the role of responsibility of government? Because the ecosystem needs government support, period. The government is such — can be such a positive influence in the way that companies protect themselves — in what information they share and the resources that they provide, all of those kinds of things — that having an enforcement angle to — having that be their focus — it’s counterproductive sometimes. I’m not saying that you can’t — you can only have the carrot and not have the stick. I’m not naive about it. But if you ask me where the government needs to spend more time, it’s there because it avoids — it not only avoids the problem that you’ve identified, which is revictimizing the victim, but it actually puts the resources into a place where they’re really needed. Jerry: Especially in the case of state actors. Aravind: Hundred percent! Hundred percent true, especially in the notion of state actors. But I don’t want to limit it to just state actors. And that ecosystem, by the way, is, in and of itself, extraordinarily complicated. It’s not as simple as it’s a state actor or it’s somebody who is looking to make a buck — complicated ecosystem.
Suffice to say, I agree with you. What they are tracking and what threat intelligence that they have and how they’re sharing it with — look, there’s a tremendous amount of movement that’s happened over the last 10 years in the federal government in particular’s sharing of threat intelligence information with security professionals, whether it be in-company or be at a forensic firm or a consulting firm, something like that. Tremendous growth in that, and there’s lots of people who should be commended for doing that.
But that’s just the tip of the iceberg — that’s just the tip of the iceberg in terms of what government’s role potentially could be in helping understaffed security programs, under-trained security professionals, and under-resourced security teams do better.
And it’s not filing a complaint and charging them with violating the SEC rules. That just seems, to me, to be a waste of time.Sherry: It sounds like the CISO has so much focus and a lot of weight on their shoulders. If I wanted to go and apply for a job as a CISO, what should I take into consideration? Because it sounds like there’s so much liability. Should I get my own insurance? What kind of director and officer insurance should I be asking for? In that context, as you may recall, kind of in the privacy space, once the comprehensive privacy laws came out and there were real threats when a data breach occurred, everyone was pushing for cybersecurity insurance. So, is this kind of along the same lines as that? Aravind: So, those are all really good questions. I’m going to start at a slightly different place because I think the number one concern that a CISO candidate should be looking for before she takes a job is culture, culture, culture — period, full stop. You got to go for the right job. Not every job is right. And I appreciate — we all want to become — we all want to go up in our careers. And there’s a lot of people who want that CISO job; they want that title. Not every job is the right job. And culture and the organization that you’re going into is such an important predictor of your ability to be successful. And at the same time, reducing all of those liability risks. That you got to start with where a culture is in your firm, so I think that’s the first thing you got to look at.
Now, let’s say you’ve got the job. You’re like, “This is a great job. This is the one I want to take. This is the organization to go work for.” I think, Sherry, it’s a good question. What are the legal things that you should be asking for? And I would think about them in a couple of buckets.
One, you want to be in the same position that other C-suite officers are, which is they have rights to indemnification under either the bylaws or some type of agreement with the company — period. So you want to have that indemnification right now. It may come along with, you know — the other thing you want is an advancement, which may come with an undertaking to repay, so it’s advancement of legal fees in case there’s something with an undertaking to repay. But that indemnification agreement is starting point number one.
Whether it’s by operation of law — you’re on the bylaws, and it’s Delaware Corporation, and they’ve indemnified you — fine. Whether it’s by contract that they agreed to indemnify you to the full extent of the bylaws — fine. But you have to have that agreement in place or understand that you will be indemnified, number one.
Number two, you want to have an agreement that they will advance legal fees, and you will agree to undertake to repay them should you be determined that you are not entitled to those. So, that’s number two.
Number three is you want to be inquiring or asking about whether or not you could be on the D&O policy. Now, no one of these is kind of independent of the other. These aren’t like, “I want this one or that one.” In an ideal world, you have all of them because they all serve a slightly different role. But some of them can displace others, meaning take one if you can’t get all three. So it doesn’t mean you have to get all three. Each one of them plays a different function in your protections, but that’s sort of the protection for you.
Now, the thing that you have to sort of connect, though, is the gap because the gap between culture of an organization and your legal protections is really where the rubber hits the road. What’s the security program look like? What does your team look like? What resources am I going to be given? Do I have a direct line to the board or the CEO or the general counsel so that I have someone who I can go to? Am I being supervised by the right people? Am I being resourced right?
All of those are the things that you want to ask about, which I call — I sort of capstone under culture, but there’s a whole bunch of connective tissue in between that nominal notion of “Culturally, is this the right organization?” and “Am I getting the legal protections?” — there’s a whole bunch of connected tissue between the two of those that gets you to a place where you’re like, “Yeah, that’s the that’s the right job to take.” And no job’s ideal. We all get that. No job’s ideal.
But if I was looking, and the way I coach CISOs who are looking for jobs because — I’ve been on the other end of it with CISOs, where we’re representing them in their personal capacities. So, we represent Joe. I’ve represented the former CISO at Yahoo in his personal capacity. So we’ve done this before and seen how this can play out, and so I oftentimes sit down with a lot of CISOs and talk to them about what are the things that I would be looking for. And that’s how I think about it.Sherry: And when you talk about culture, you’re talking about kind of a privacy by design culture — how are they focusing on cyber security, privacy of data? Aravind: It’s everything. Because remember, privacy is really about the collection, use, and sharing of personal information. Cyber has a significant overlap with that because, of course, we’re concerned with the protection of personal information, but you’re in protection of the whole network. And the systems and the products and all kinds of other things that do not have anything to do with personal information. And so, I would say it’s slightly different.
I think when I’m talking about culture, I’m talking about the kinds of things that every executive should be looking for in the organization. Like, am I going to be well supported in this role? Is security really meaningful? Is transparency a cherished value in the organization so that when I’m in a situation where someone needs to say, “This is wrong, we got to fix this,” I feel like there is a receptacle to do that? Those are the kinds of things that we’re looking for. Every organization strives to be those and always wants to be culturally situated that way.
But I do think that there’s a little bit more nuance to it and subtlety to it that we probably can’t articulate really well. That is, am I a good cultural fit for the way this organization is going to want to run its program?Jerry: You know, the role of the CISO has evolved. It’s a relatively recent, important addition to the C-suite. And understanding the responsibilities, which are evolving as well, is kind of important. But, you know, it almost seems as if we could use a CISO handbook, a professional guide to conduct. You know, any thoughts about what such a handbook, if you think that makes any sense, what such a handbook would cover? What would be the source materials, and what would you draw on in developing such a guide, if we decided to develop a guide? And it might not be possible because it’s a rapidly changing set of responsibilities. Aravind: So there’s a lot of folks that have come forward with this idea. And I think, conceptually, it’s appealing. But I think that there’s two fundamental points issues with it.
All right. So I’ll put my lawyer hat on for a second, which I don’t like doing all the time. But if you built a handbook and said, “This is the CISO handbook,” that’s going to be the standard of care at every organization. It’s just going to be like a de facto standard of care. And guess what? There is no ubiquitous standard of care.
Every organization has to develop and implement their cybersecurity program based on risk. There is no perfect cybersecurity program where everything is insulated. Well, there is. It’s a solid iron box that sits out there in the middle of a parking lot that’s not connected to anything. You could have that all day long. But security is a dynamic problem. It is based on understanding and appreciating and evaluating risk, and deciding what you’re going to accept and what you’re going to remediate. And what you’re going to mitigate and manage and have compensating controls for and so on. That’s what it is.
So having a handbook, I don’t know really helps the problem because it oversimplifies the situation that all CISOs go into. And I think it becomes a de facto standard of care where someone’s like, well, the book says you got to do this. I mean, not literally, but that’s what every plaintiff lawyer is going to look at. So I don’t know that that’s really all that helpful.
What I think the CISO handbook, so to speak, Jerry, is a good proxy for is the need to have more rigorous training for security professionals and chief information security officers in particular, to understand what their responsibilities are and what the best practices are and what they should do.
So I would substitute and say, this is the way the textbook isn’t really the class. Unless you take organic chemistry, which I did when I was in college, in which case the professor wrote the textbook, and I never went to class.
But the textbook is not the class. You need a class, and you need engagement training, and you need professional development in order to be in a situation where you can succeed at your job. And so, I think what I would do is to say it’s a great thought exercise to understand what it is we should be teaching and training information security professionals and chiefs in particular to do their job in a successful way.Jerry: So, it’s almost like the chapter headings in your professor’s book. We would agree these, at least these chapter headings have to be covered. And then what’s under it may differ depending on circumstances. Aravind: And let me make mention of that because this is something that I’ve heard a couple very wise CISOs say. One of the things that you’re training on is not just, “Do you do encryption? Where do you do encryption?” It’s not about the technical aspects. It’s really about some of the soft skills. And one of the things that CISOs have been challenged by is do they have a true seat at the table? And today, more than ever, they’re getting seats at the table. But guess what? That’s just the start.
It’s not enough to have a seat at the table. You have to bring, you have to participate in that process. So, you are now an executive with a seat at the table. Guess what you can’t do? Sit around and wait till the words “cybersecurity” or “data privacy” come up before you raise your hand and have an opinion. You are an experienced professional who lives in a world of risk, appreciation, awareness, understanding, and mitigation.
Every business faces risk. You can apply that skill set at the table and drive value for your organization having nothing to do with cyber whatsoever. That’s what it means to be an executive. That’s what it means. And so it is not enough that you now have a seat at the table. You must use that seat, and you must use your wisdom, and your judgment, and your experience to help drive the business forward using a skill set that you have. And it does nothing to do with cyber.
It’s really about all of the things that go into making a great information security professional: permutational thinking, creativity, crisis management, risk appreciation, understanding, all of those skills are what made you a good information security officer. Now go to that and apply that to the finances of the business. Product life cycle, sales opportunities, all of those things should become part of it. Now, it doesn’t mean you want to overplay the hand, but just because you have a seat doesn’t mean anything unless you start to actually speak at that seat.
And I think that’s a critical maturation and development that has to happen in that scope of that profession. And I think that when we think about that course, Jerry, that neither you and I are going to teach necessarily, but when we think about that course, that’s got to be part of it. That executive leadership has to be part of it.Jerry: You know, I don’t want to take too much of our time on this, but I have also had people come to me and say, we are looking for a board member who has this type of knowledge as well. And they’re not easy to find. Aravind: You can find lots of people with cyber security experience who want to be on a board — dime a dozen. But what we just described is the difference between somebody who on paper could be a board member and somebody who should be a board member, at least in my view. Just having someone who’s like, “I was a CISO. I can provide that skill set. I should be on your board.” Who cares? I don’t need that.
I know lots of risk professionals on my board who can appreciate risk. They just need someone to explain it to them. If you want to be on a board, I think, with the background in information security, that can be your subject matter expertise. But you’ve got to be able to paint a picture of like, “These are all the other things that I can do to bring value to your business and drive your strategy forward.”Sherry: So, kind of along those lines of making sure you effectively communicate with the board when you have a seat at the table. What other resources would help a CISO that is trying to effectively communicate with their board? Do they need to become more aligned with legal, become more aligned with IT? What are your thoughts on that? Aravind: I’ll give you my answer, and then maybe I’ll think of how I can say it in a story. The general counsel is like an incredible resource because she’s been at all the board meetings. She knows all these executives; she’s built relationships with them. She knows how they tick. She knows the dynamics. She knows where there is disagreement and tension. She’s an incredible resource that, if you’re a chief information security officer and you’re not talking to your GC, you’re making a mistake.
Now, I have a GC mentor of mine who just recently retired who said, “I’ve been here a long time and I know where all the bodies are buried. But that’s not really the thing that I think makes me different. The thing that makes me different is that I’m the only one in this organization that can go into the CEO’s office and tell him he’s doing something stupid. I’m also the only one that the CEO will come to in confidence and say, I’m struggling with something. I need help making a decision.”
That access that that particular GC had is not unique. Well, maybe it’s unique, but it’s not unheard of. And it’s certainly not atypical in some sense. Many GCs have those kinds of relationships with their executives. And, as a CISO, I’d want to tap into that because there’s just a wealth of experience and knowledge and wisdom of having operated at a very high level that you don’t have as a CISO.
And guess what? Part of the general counsel’s remit is: manage risk. Guess what the CISO’s main remit is? Manage risk. Like I oftentimes say, lawyers and security professionals may not really want to talk to each other, but they got something in common. They are, more often than not, risk professionals in their business and trying to find a way to drive value.Sherry: Yeah, that’s completely fair because, in my experience, what I see is a huge disconnect between your general counsel and your compliance group, your IT group and your marketing group. That’s where I see huge holes that no one’s kind of communicating there. And I think having kind of a CISO relationship with the GC might be beneficial there as well. Aravind: I agree. I agree. Jerry: Well, I’m afraid I have to say we’ve run out of time, but we could go on. Aravind, it’s been great to have you with us. Thanks for joining us. I know our listeners will appreciate your insights, which are based on an awful lot of experience. Aravind: Thanks, Jerry. Thanks, Sherry. Thanks for having me. Sherry: Yes, thank you. Take care.