Leadership & Executive Communication , Standards, Regulations & Compliance , Training & Security Leadership
How CISOs Can Mitigate Personal Liability Concerns
CISO Quentyn Taylor on Preparing for More Scrutiny in Wake of SolarWinds ChargesSEC regulators have filed charges against software company SolarWinds and its CISO Tim Brown - accusing them of misleading investors about the firm's cybersecurity practices in light of a high-profile hack in 2020.
See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting
The case is part of a growing trend of prosecutors targeting individuals within corporations, placing CISOs and CIOs at risk of personal accountability, and Quentyn Taylor, senior director of information security and global response at Canon, said he is concerned about the implications for other security leaders.
"I am worried about the effect this might start to have. CISOs are not used to having this kind of pressure, and IT people, to be fair, are not used to having this kind of pressure," Taylor said. "Many of the situations that you find yourself in are very nuanced. When someone says, for example, 'Is this thing secure?' Well, your answer, by definition as a security person, is probably 'no' because nothing can be 100% secure."
Taylor advised security leaders to "be open, be honest and make sure you document things clearly, so it's totally unambiguous what your statement is. Never play politics. Don't say what you think people want to hear; say what the truth is, and explain that truth and qualify that truth to the people."
In this video interview with Information Security Media Group, Taylor discussed:
- His own approach to cybersecurity practices and risk disclosures to mitigate personal liability as a CISO;
- How security leaders can prepare for increased scrutiny and potential liability across the industry;
- Best practices to facilitate effective communication between the board and the cybersecurity team about the state of security practices.
Taylor has experience in delivering security to meet business objectives and is an expert information security, strategic management and risk management.