Do You Need a CISO, & Employee Contract May Keep CISO Out of Jail – BSW #307

Matt Alderman

1. Do You Really Need a CISO?

   A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership.

   It’s a changing role in a changing world. But do you really need one?

2. A CISO Employment Contract May Mean the Difference Between Success and Jail

   CISOs are responsible for the security of an organization’s information systems and data and they are often held accountable for any security breaches that occur. Both the Sullivan/Uber criminal case and the SolarWinds/SUNBURST civil case against the company’s CISO demonstrate the need for CISOs to have personal protection as part of their jobs. To protect themselves from civil and criminal liability, CISOs should ensure that they have the following:

   • D&O or other liability insurance
   • A duty of the company to indemnify and hold harmless
   • Express whistleblower protections
3. CISO and board collaboration, driving better outcomes together

   Your organization’s board has a unique role to play in managing cyber risks. Board members are not involved in the day-to-day cyber security strategy development and execution, but they are responsible for oversight and serve as fiduciaries.

   Although it can be difficult for board members to engage around cyber risk, board members are expected to ensure that cyber risk remains on the agenda, as it can affect customer data, trade opportunities, and share prices, among other things.

   Despite the fact that cyber risk became a board-level topic quite some time ago, boardroom stakeholders who drive the cyber security conversation can have misaligned viewpoints, translating to inconsistent corporate visions and weak decision-making.

4. CISO’s push for mental health support in cybersecurity

   A new report hopes to challenge the way the industry deals with burnout, stress, and mental health problems. The immediate actions of the report will be:

   • Professional and certifying bodies should include the awareness of the importance of mental health and stress issues into their knowledge domains, certifications, standards, frameworks, and best practices.
   • Governments, professional and certifying bodies should make funding available for research on mental health in cybersecurity.
   • Enterprises should actively include mental health in their strategic planning & measurable outcomes.
   • Cybersecurity professionals should speak out about stress, raise awareness and identify signs and symptoms of stress in themselves and their colleagues, and explore ways to support their teams to address the root cause.
5. Cybersecurity risk could soon become buying criteria for CSCOs

   A recent survey from Gartner finds just how important cybersecurity has become for businesses with fewer than 1,000 employees. According to the research firm, 60% of supply chain organizations plan to use cybersecurity risk as a “significant determinant” in conducting third-party transactions and business engagements by 2025.

   This means chief supply chain officers (CSCOs) need to be on top of the latest threats in a quickly changing environment.

6. When Your Employee Tells You They’re Burned Out

   Burnout is affecting both leaders and employees — and contributing to a talent shortage that’s challenging and costly to navigate. It can be challenging for even the most enlightened managers to have conversations about employee burnout while managing the needs of the business. The author offers five steps to take when an employee comes to you expressing burnout:

   1) Treat their concerns seriously; 2) Understand their experience of burnout; 3) Identify its root causes; 4) Consider short- and long-term solutions; and 5) Create a monitoring plan.