CISO (Cheif Insecurity Scapegoat Officer)

Opinions expressed in this commentary are solely those of MRD.

I understand the New York Department of Financial Services enacted laws, originally from March 2017 but are now in-effect, to create more accountability for cybersecurity efforts of major corporations - banks, insurers, financial service organizations, etc. Which require senior executives, Chairman of the Board of Directors, or senior officers (e.g. CEO) to personally certify their computer networks are protected by a cybersecurity program appropriate to their risk. A cybersecurity Sarbanes-Oxley, if you will.

3,000+ firms must have a very top-level executive formally attest to having the following:

  • cybersecurity program appropriate to their risk profile
  • cybersecurity policies to protect information systems and customer data
  • chief information security officer responsible for overseeing and implementing cybersecurity and enforcement thereof
  • qualified cybersecurity staff or contractors to work with the CISO
  • incident response plan
  • control of privileged access to its IT network
  • either continuous monitoring or periodic penetration testing
  • vulnerability assessment for their network
  • full-scale risk assessment of their information systems
  • multifactor authentication for remote access
  • regular cybersecurity awareness training for staff
  • annual reporting from the CISO to the board of directors

This is all well-and-good, but for one thing; the CISO appointment. This poor sole has unattainable responsibilities for which they'll be sacked when there's a security incident, which will likely be caused by lapses from others. See, a CISO can't possibly, constantly oversee actions (e.g. development, operations, and use) of every single person within an organization. Security should be equal and great responsible of every single staff member. In fact, assigning such responsibility to a single individual would reduce others' sense of having such responsibilities themselves.