Monday, November 17, 2014

Response to "Can a CISO Serve Jail Time?"

I just read a story titled Can a CISO Serve Jail Time? Having been Chief Security Officer (CSO) of Mandiant prior to the FireEye acquisition, I thought I would share my thoughts on this question.

In brief, being a CISO or CSO is a tough job. Attempts to criminalize CSOs would destroy the profession.

Security is one of the few roles where global, distributed opponents routinely conduct criminal acts against business operations. Depending on the enterprise, the offenders could be nation state adversaries largely beyond the reach of any party, to include the nation state hosting the enterprise. Even criminal adversaries can remain largely untouchable.

I cannot think of another business function that suffers similar disadvantages. If a commercial competitor took actions against a business using predatory pricing, or via other illegal business measures, the state would investigate and possibly prosecute the offending competitor. For actions across national boundaries, one might see issues raised at the World Trade Organization (WTO), assuming the two hosting countries are WTO members.

These pressures are different from those faced by other elements of the business. When trying to hire and retain staff, human resources doesn't face off against criminals. When trying to close a deal, sales people don't compete with military hackers. (The exception might be transactions involving Chinese or Russian companies,) When creating a brand campaign, marketing people might have to worry about negative attention from hacktivists, but if the foe crosses a line the state might prosecute the offender.

The sad reality is that no organization can prevent all intrusions. The best outcome is to prevent as many intrusions as possible, and react quickly and effectively to those compromises that occur. As long as the security team contains and removes the intruder before he can accomplish his mission, the organization wins.

We will continue to see organizations fined for poor security practices. The Federal Trade Commission, Securities and Exchange Commission, and Federal Communications Commission are all very active in the digital security arena. If prosecutors seek jail time for CSOs who suffer compromises, I would expect CSOs will leave their jobs. They already face an unfair fight. We don't need to add the threat of jail time to the list of problems confronting security staff.

4 comments:

Ryan G. said...

A responder on the LinkedIn article posted something that resonates - "Tossing CISOs in jail will not appear because it is fair, effective, or makes sense. It will appear because of a community that is well-known for chasing its tail, and has no clue what else to do."

George Moraetes said...

I am George Moraetes the author of that article and a staunch advocate for our profession. Richard, you are absolutely right by saying criminalizing the CISO will destroy the industry. But in saying that, it is because we hold ourselves to a much higher standard than the rest. That alone makes our jobs, the job of a CISO an incredibility hard job to master.

I will put in the way of a police officer tasked with keeping the peace. The police are physically armed for security with federal and state laws protect their livelihoods. The word of a police officer is in today's society approximates unquestionably, beyond a reasonable doubt, the word is integrity. Why not the CISO? Why not arm them from the perils we face day in and day out protecting an organizations assets from thief?

My next article will address that as I am doing my research and in doing so any visionary thoughts on that would be appreciated!

Feel free to share your wisdom and thoughts what we can all collectively do to vastly improve the profession.

Keyspace said...

I 100% agree with you here. in Australia directors of a business can only be liable if they undertook illegal actions or were grossly incompetent. I would hate to see It professionals at any level become responsible for actions most can only mitigate but never completely remove the risk of.

Bob said...

CISO's should be made to pay and personal assets should be forfeit when things like this happen. more accountability i say.