CISOs are always under pressure.
They’re under pressure to prevent data breaches, and if one slips past, they usually take the fall for it.
They’re under pressure to keep their organizations secure without impeding business growth. They’re under pressure to keep costs down.
And now, with the SEC’s proposed enhancements to its cyber risk and incident disclosure rules, CISOs may face a new kind of pressure: pressure to downplay the cyber risks their organizations face.
Malcolm Harkins, the Chief Trust and Security Officer for Epiphany Systems (and former Intel CISO), says security leaders have faced this pressure for some time. In 2020, he surveyed more than 100 CISOs and found that 76% had felt pressure to under-report a cyber incident.
Harkins says this pressure is problematic for a number of reasons. For one, it can force CISOs to compromise their integrity and code of ethics. And succumbing to this pressure can have disastrous personal consequences for security leaders, not to mention far-reaching implications for their organizations, and even for customers who may be affected by an eventual data breach.
Don't Succumb. Speak the Truth.
However, there are a million, or perhaps 3 million, reasons not to capitulate, and instead, to speak the truth about cyber risk. Recently, the SEC reached a $3 million settlement with Blackbaud, a data management company, over charges that it misled investors about a 2020 ransomware attack. This appears to be the first SEC settlement related to a ransomware breach, although other companies have paid smaller fines for failing to report other types of breaches.
Blackbaud originally announced that attackers did not gain access to customer bank account data or Social Security numbers, and the SEC accused the company of not correcting those statements after its IT team found otherwise. The company also did not mention the breach in its next quarterly report to the SEC.
Harkins noted the settlement on LinkedIn, advising his peers to “make sure how you report risk is as accurate as possible and seek appropriate counsel if your organization seeks to modify (hint - dilute) how the risks you are responsible for managing are characterized.”
For several years, Harkins has been on a mission to raise awareness about, and encourage, CISOs’ strong code of integrity. He encourages his peers to speak up when they face pressure to underplay cyber incidents–a disconcerting trend he doesn’t see subsiding.
When he’s shared the results of his 2020 survey with peers, he says he’s had “so many agree that they have experienced this pressure, so anecdotally, I think the numbers are relatively consistent.”
In an RSA Conference webcast from 2020, “Integrity Matters, and Things that Matter Aren’t Easy,” Harkins and other security professionals talked about ethical pressures on CISOs. He and three other security professionals “acknowledged that we could anticipate when the pressure was likely to arise—we could smell it, feel it like a sixth sense—and came to the conclusion that we need to trust and use our instincts to address ethical dilemmas earlier, to create enough space so that the right questions can be asked and the best solutions created,” he wrote at the time.
CISOs need to work with trusted peers to gain perspective on these dilemmas, he added.
“Ethical decision-making is a requirement of leadership, a deliberate commitment,” he wrote. “It is supposed to feel uncomfortable, and if it does not, then you are not doing it the right way.”