CISO (Cheif Insecurity Scapegoat Officer)

Opinions expressed in this commentary are solely those of MRD.

I understand the New York Department of Financial Services enacted laws, originally from March 2017 but are now in-effect, to create more accountability for cyber security efforts of major corporations - banks, insurers, financial service organisations, etc. Which require senior executives, Chairman of the Board of Directors, or senior officers (e.g. CEO) to personally certify their computer networks are protected by a cyber security program appropriate to their risk. A cyber security Sarbanes-Oxley, if you will.

3,000+ firms must have a very top-level executive formally attest to having the following:

  • cyber security program appropriate to their risk profile
  • cyber security policies to protect information systems and customer data
  • chief information security officer responsible for overseeing and implementing cyber security and enforcement thereof
  • qualified cyber security staff or contractors to work with the CISO
  • incident response plan
  • control of privileged access to its IT network
  • either continuous monitoring or periodic penetration testing
  • vulnerability assessment for their network
  • full-scale risk assessment of their information systems
  • multi-factor authentication for remote access
  • regular cyber security awareness training for staff
  • annual reporting from the CISO to the board of directors

This is all well-and-good, but for one thing; the CISO appointment. This poor sole has unattainable responsibilities for which they'll be sacked when there's a security incident, which will likely be caused by lapses from others. See, a CISO can't possibly, constantly oversee actions (e.g. development, operations, and use) of every single person within an organisation. Security should be equal and great responsible of every single staff member. And assigning such responsibility to a single individual would reduce others' sense of having such responsibilities themselves.