Chief Information Security Officers (CISOs) are NOT Corporate Officers

I have the privilege of spending significant time with some great board directors who serve on both public and private company boards. That time with non-technical business executives provides some context for many of the current arguments about a paradigm shift facing CISOs that results from the 2024 SEC Cyber Incident Reporting Rules. I have also studied the topic extensively, and I teach this to the business, technology, and security executives who have taken my class.

A few thoughts based on what I have seen and discussed with many people in many places:

1. CISOs are not superheroes. They are people who have specialized skills and play an important role in modern organizations. The CISO should NOT be solely responsible for protecting the organization from all threats and preventing all compromises from taking place just like the COO and the CFO are not solely responsible for 100% of operations and every penny spent by the organization, respectively. The best measure of success for the CISO is deployment and maintenance of a program that maintains cybersecurity risk at an acceptable level using resources allocated by the organization to respond to a prioritized list of risks that the organization agrees upon.
2. The burden of managing cybersecurity risk should not fall exclusively on the CISO. Ideally, security is an enterprise risk management (ERM) function that should work in conjunction with other ERM practices to identify, address, and respond to all relevant risks facing the organization. These risks require adequate attention at the board and c-suite level. These risks require communication and prioritization. Oversight from the board and management from the c-suite must work together for ERM to be effective.
3. CISOs are not corporate officers. Corporate officers who are subject to the SEC rules are usually appointed by the board of directors. If the CISO was not appointed by the board, the CISO should not have the level of accountability that requires D&O insurance or be solely responsible for all cyber risks facing the organization. Arguments for CISOs to have Directors and Officers (D&O) insurance when CISOs are not corporate officers seems to be an exaggeration or a pitch to increase insurance sales.
4. The Duty of Care demands that board directors have adequate knowledge about the risks they are overseeing. Most cases affecting board directors focus on “Caremark Claims” that originated in the Delaware Chancery Court. These claims relate to the failure of board directors to provide adequate oversight. Competence to honor the duty of care highlights the importance of training and education for board directors – even if the requirement was not enforced in the current reporting rules because of ambiguous definitions. It does not mean that boards must disrupt their skills matrix by adding CISOs to the board when the CISO can provide just as much value as a member of a dedicated risk committee.
5. The SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule is not really about security. The 186 pages of the rule focus on governance, director responsibility, and justifications for timely and reliable information that protect public company investors and shareholders. The rule only mentions the CISO role five times, and most of those references are in commentary and rationale rather than in the rule itself. Following the intent and spirit of the rule produces transparency related to the impact of a material incident on the value of a public organization in the interests of investors and shareholders. One could also argue that following the intent of the rule also produces consistent information. Before the rule, material impacts were reported inconsistently in a variety of places.

I look forward to your feedback in the comments below.