Gajus - stock.adobe.com
Over the past decade, much has been made about the cyber security blame game, with the same question being asked: who should be accountable for a data breach or cyber incident? The answer, of course, is that it’s never black or white. But in the aftermath of many major incidents, chief information security officers (CISOs) and chief information officers (CIOs) are let go, and sometimes the CEO follows them out of the door.
In the case of one of the world’s biggest credit score agencies, Equifax, all three stepped down from their respective roles after a catastrophic breach that affected 147 million people in the US, 14 million UK citizens and 100,000 Canadians.
“Often moves like that are made to satisfy shareholders and the press, rather than what’s best for the company – providing continuity in leadership is really important during a breach response,” he says.
Mark Walmsley, the CISO of law firm Freshfields Bruckhaus Deringer, agrees, and adds that the act of firing someone can be a knee-jerk reaction of being in a crisis.
“Bringing in someone new as a way of deferring attention can be a big risk because you’re [replacing] someone who inherently understands your business and has all of the relationships within the business [with] someone who doesn’t have any of that experience,” he says.
“The market says it’s a great idea, but the reality is that you’ve got a crisis, you probably haven’t fixed the problem yet, and then you’re bringing in someone who doesn’t know anything about anything – it’s very clearly not a great idea.”
A breach waiting to happen
Nearly all the CISOs Computer Weekly spoke to at the recent Cyber Security Connect UK conference in Monaco referred to the now cliché phrase “not if, but when”. They believe their organisations should understand that a cyber incident of some sort will happen at some point in time, but there’s no way of knowing when.
As a result, Nathan Hayes, who acts as both CIO and CISO for law firm Osborne Clarke, suggests there will be cases where it may be the right call to axe someone from the role.
“If there’s been catastrophic failings, then there’s not a lot you can do about it – somebody has to take responsibility. However, if you know all the reasonable arrangements are in place, then to axe someone would not necessarily be in the best interests of the company,” he says.
Nathan Hayes, Osborne Clarke
Ameet Jugnauth, head of IT and risk at Lloyds Banking Group, adds that it should be considered by those making hiring and firing decisions that CISOs or CIOs cannot predict every possible scenario.
“Should every CISO’s job be impacted [by a breach]? If you knew you were sitting there with vulnerabilities and did nothing about it, that’s very different to patching as much as you could, realising risk and managing it – that’s as much accountability as you can have,” he says.
Johan Pieterse, director of enterprise IT and group security officer at the Racing Post, puts this into perspective.
“If you have 10 guys walking through the door of an office with AK-47s, should I have a strategy for that? I’m not going to spend money to have three layers of security for the Racing Post for that. However, if they get into your systems – physical, virtual or cloud – and I haven’t patched my systems or done anything, that’s completely different,” he states.
It should come as no surprise that CISOs are essentially pleading with their organisations to understand the inherent risk of using IT in 2020. After all, a Nominet survey of more than 400 CISOs in the US and UK, conducted by Osterman Research, found that many of them (6.8% in the US and 10% in the UK) believe they would be fired in the event of a breach.
A tainted CV or an invaluable experience?
While there is much talk about the immediate impact of a cyber incident, what about thereafter? Would the CIOs and CISOs who’ve been axed manage to get similar or even better jobs, or are their CVs tainted because of their association with a cyber incident? Would any cyber security or IT staff who leave of their own accord also find themselves in a similar situation?
According to Joe Hansard, cyber security recruitment consultant at La Fosse Associates, it wouldn’t necessarily hamper their future employment prospects. “It would be how they reacted to the breach that they would be judged on,” he suggests.
Although, if they were removed shortly after the incident – as was the case at Equifax – it may be difficult to prove they’re the right person for the job, or to prove to future employers that they did put all of the right protocols in place to avoid such an incident.
If they were allowed to continue in the role, at least for a short period of time, there is a greater chance that the incident could enhance their CV.
“I work within the contract market, and, if anything, being at an organisation during a breach adds value to a CV, not the opposite. They are able to get a first-hand account of the breach to understand what led to the breach and the incident response plan that followed,” says Hansard.
“This experience is invaluable – being at the helm in the midst of a breach, working around the clock and the war stories gained from this can offer real value to future employers,” he adds.
Pieterse believes his experience of dealing with a breach without being directly accountable for it – as he was not the CISO when it happened – is invaluable.
“The good thing about it is that I have had the experience of dealing with the ICO [Information Commissioner’s Office], remediation and implementing policy solutions such as ISO 27001,” he says.
In fact, Freshfields’ Walmsley believes experience of a breach or hack could make an applicant a better candidate for a job.
“A lot of people we hire come from professional services where their job is about breach management on the professional services and managed services side. That means our incident response team internally have all worked at the big providers, so they spend all day saying ‘we’ve got an incident – this is how we respond’. It’s already part of their DNA,” he says.
All of these comments chime with an Optiv Security study which found that 58% of CISOs believe that experiencing a data breach would make them more attractive to future employers.
The real deal
The reason that the experience is so valuable, according to Osborne Clarke’s Hayes, is that most teams will undergo constant tests to see how they react to a cyber attack, but there is nothing quite like actually going through it.
“Somebody with that experience would be of benefit as they would have gone through a real event rather than a training programme with a pseudo environment,” he states.
For those in more junior cyber security roles, being involved in a large-scale hack or breach would be extremely difficult, and Pieterse suggests they should therefore use the same advice as CISOs – that they’re doing everything in their position to avoid such an incident from happening.
“As long as you’re finishing the work, doing it correctly and you’ve made people aware around you what the risks are and what the team is doing about it, then it is always considered good experience. It gets negative when you don’t do the research, don’t do the bread and butter kind of things such as patching, or don’t communicate effectively,” he says.
In other words, as long as you’re doing what is required of your role – whether it’s as an engineer, CIO or CISO – and you’ve matched the risk appetite of the company with your actions, then even if the company were to suffer a data breach or cyber incident, your role shouldn’t be under any threat, nor should your career prospects.
The issue is that many organisations, CEOs and investors don’t actually understand the risk appetite and put too much pressure on the IT and security teams. As a result, even if someone is not to blame for a cyber incident, they are let go, and on the outside it looks as if they were to blame and that they did something unforgivably wrong.
In one such case, a former CIO told Computer Weekly they had left their role of their own accord, and that it had nothing to do with the data breach in question. Hopefully, they can share their version of the story and what they’ve learnt as a result when they’re searching for their next job.
Those in cyber security roles or in the midst of a cyber security incident should take encouragement from the likes of Dido Harding, the former TalkTalk boss who is now chairman of NHS Improvement, and former Target CIO Beth Jacob, who is now senior vice-president, strategic advisor and leadership coach at SPS Commerce.
Much like data breaches, it’s not a matter of if you’ll find a new role, it’s a matter of when.
Read more about security careers
- There has been an active effort by the UK government to tackle the lack of skills in the cyber security space – but is it enough?
- The British education system cannot move fast enough to address the security skills crisis, and in the absence of government action increased reliance on automation may be the least worst solution.
- Research by the c finds that while parents are aware of cyber security, they don’t know enough to encourage their children into cyber roles.