Last month, the former Chief Information Security Officer (CISO) of a prominent ride-hailing and food delivery organization was found guilty by a federal jury of an attempt to cover up a cybersecurity attack faced by the organization a couple of years ago. What’s different here from previous similar legal cases is that for the first time a guilty verdict makes the person (in this case the CISO) personally liable, not for the security breach itself, but for attempting to cover up the incident and failing to report it to the authorities. While the sentencing is set for a later date, the crime of concealing a felony from authorities could result in a jail term of up to 8 years.
This guilty verdict sets a precedent for liability when an organization is hacked, and it might indicate a paradigm shift of ownership for security and responsibility from organizations – who would usually “take the hit” and pay the fine – to individuals, based on their roles and responsibilities when it comes to protecting the organization and all data under its custody. This includes Intellectual Property (IP), regulated information (e.g., employee records), as well as sensitive data of partners and customers.
Nobody in charge will be able to hide behind an organization anymore and evade their own responsibilities in the case of cybersecurity incidents, as was possible in the past. However, it is paramount to understand that security is made up of many parts, and that everyone in the organization is responsible for it. Security is not actionable by pushing an on/off button, but depends on software, procedures, processes, and ultimately people – all combined – to work and protect against 99% of existing threats. It is crucial that everyone understands their own role and responsibilities when it comes to following security best practices, from top-level executives and decision makers down to the last intern.
Responsible for the security of the organization and all its data, the CISO might now find themselves wondering where their personal liability begins and ends. Before this verdict, the organization might have paid a copious fine with some employees being fired, but after this verdict, an individual might be personally held liable for a crime that could damage their reputation and career prospects. Although CISOs are neither the only ones responsible nor the final decision makers when it comes to allocating budget to security, the prospect of being personally liable could help them find the right arguments to convince their peer executives during board meetings where strategic decisions are being made about the organization’s security.
It is the CISO’s job to make employees clearly understand the current security posture of the organization, and the risks and consequences related to suffering a potential cybersecurity attack for the organization, from reputational to financial and legal. All decision makers need to understand how far their own liability can reach in case of an issue; this might help “motivate” the more reluctant decision ones when they realize they will no longer be able to hide behind an organization nor their legal team and that they will personally be on the line when something bad happens.
CISOs and decision makers must not only follow security best practices, but also be honest and transparent in the event of a breach. Taking full responsibility followed by remedy actions is the approach in the best interest of your organization. Also, document everything! First, at a higher level, every decision made by the people in charge regarding the organization’s security needs to be clearly documented, from the most transcendent decisions to smaller details, as this could be presented at some point to a federal regulator or used to defend the organization and its executives during a legal battle, for example, after a security breach.
The CISO must keep in mind that individuals can now be held personally liable for security breaches; they need to feel the weight of that responsibility and educate employees accordingly. If employees all do their part in upholding the organization’s security posture, document security changes, and keep their communication direct and transparent, then the possibility of a security breach needn’t be as intimidating, as everyone is following best practices.
The team at ISEC7 has been working with organizations in the private and public sector to ensure their ecosystems are protected and that their security posture endures through training and best practices. Please reach out to the team at ISEC7, and we can complete a security assessment and help you navigate the options available to you to help strengthen and protect your infrastructure. Please feel free to contact the team at ISEC7, and we can provide an objective assessment of what can address the needs of your organization and/or risk mitigation needed to secure your environment.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group