NCC calls for Board-level executive sessions with Chief Information Security Officer
Lead Author: Rick Crandall, Chairman, NCC Cyber Committee
- Industry experts predict that 2023 will see the Great Resignation phenomenon spread to the Chief Information Security Officer (CISO).
- Between 32 and 44% of CISOs were either considering or open to leaving their jobs, mainly due to job stresses and the impact on work-life balance.
- One stressor is the prospect of negative public press and possible increased liability triggered by recent events in the news and the courts.
- At the recent Davos World Economic Forum gathering, the top risk mentioned for enterprises was cybersecurity penetrations.
- NCC recommends CISOs should be called into executive session with board members or state leadership without their superiors present, similar to current practice with senior financial executives.
CISOs Are Leaving in Droves
The Great Resignation has been front-page news since Covid lockdowns, with many employees looking for the work-life balance they enjoyed at the time. Now, the phenomenon has spread to the role of Chief Information Security Officer (CISO) and shows no signs of letting up. In fact, industry experts predict that it is likely to worsen.
A recent study from cybersecurity company BlackFog found that 32% of CISOs in the U.K. and U.S. have considered leaving and many planned to do so in just six months. The majority noted that the top reason for leaving was a lack of work-life balance. The CISO role is demanding, with firefighting and frequent changes in regulations and customer expectations taking up significant time both on and off the job.
In another recent study in which 581 CISOs were surveyed, the IANS Research and Artico Search explored CISO compensation and job satisfaction. Three-fourths of CISOs are satisfied with their job, which is 7% higher than in the 2021 sample and more than double that of the 2020 sample. The main drivers of satisfaction are compensation, budget, executive visibility, and organizational support. However, despite high satisfaction numbers, the study found that as many as 44% of respondents are considering a job change.
There is a perception that CISOs face heightened liability for cyber intrusions and the response to cyber events. One extraordinary example is the recent conviction of Uber’s former security officer, which represents the first time a security executive has faced federal crime prosecution over a data security response. In this case the finding was that he obstructed justice by concealing information about a breach, destroying data, and covering up the incident.
CISOs are often in the hot seat when it comes to cyber-intrusions and how they are handled. The Board of Directors (possibly including named corporate officers) in most cases are protected by being diligent about the Business Judgement Rule (BJR). Heavily adopted in Delaware case law and since adopted in various forms in many states, this “rule” stipulates that proper oversight includes demonstrating the duty of loyalty (no conflicting interests) and duty of care (make informed decisions) to be protected from liability. There are few cases (although Enron being one) where liability was found but it was for illegalities and poor business judgment.
Since CISOs are not named corporate officers in most cases, BJR does not provide comfort. Similarly, liability insurance which covers legal defense fees and cash judgments often covers only directors and named corporate officers unless the CISO has been specifically included in the policy.
Regulations at the state and federal level are increasing and expectations have changed about what and when cyber incidents need to be reported – to the public, the government, customers, partners, and suppliers. How organizations respond to cyber-attacks, especially in the timing and forthrightness of disclosure, has been all over the map, ranging from immediate and open disclosure to outright coverups. This can create a dilemma for the CISO who usually has front-line knowledge about an incident and what data, identities, customers, and other stakeholders are affected but who may be at cross-purposes with those above them.
Another dilemma the CISO faces is deciding what to do when critical issues are ill-communicated or not fully appreciated among higher-level executives and board members especially during times of tight budgets or budget cuts. Becoming a whistleblower is an option but doing so has its own set of ramifications.
Improving Board-CISO Transparency
There is a mechanism found in corporate governance best-practices for ensuring that the most senior people in an organization get direct, unfiltered input from a key executive, regardless of reporting structure. It is called the executive session. This is in common use by Boards of Directors who meet individually with the Chief Financial Officer, Controller, and other key executives, notably without other management in the room. Questions are intended to be penetrating and the respondent is expected to respond openly. Now that cybersecurity has risen to a top risk for the enterprise, the CISO position should be among those who appear individually in an executive session with the highest governing body of an enterprise at least annually. This addition to governance best-practices would give Board members and State governors unfiltered information on cybersecurity matters, thereby helping to fulfil their oversight responsibility.
Bob Zukis, founder and CEO of the Digital Directors Network, reports that a survey of its membership of more than 900 IT, cyber, and boardroom leaders shows nearly half of the respondents already have some form of this policy in practice. However, this is still a minority of the overall CISO population, signaling more transparency between the CISO and Board is needed.
CISOs in State Governments
Government organizations also face many of these issues. Evidence shows that CISOs in state governments are as vulnerable to other job offers as CISOs in the private sector. In the span of eight days in October 2022, there were several reports of state CISOs resigning, including Oklahoma, Georgia, Pennsylvania, and North Dakota. 
Legal liability is not an issue the government CISO needs to be worried about since governments and their employees are immune from legal suits. However, government CISOs are highly concerned about shouldering blame, especially in the press, for security intrusions or their coverup.
As with private industry, state governments should also institute this recommended practice. NCC recommends CISOs be called upon to appear in an executive session with agency heads and even the governor at least once a year.
The State of Texas, for example, already has a version of this policy implemented in a statute and in practice. Texas Administrative Code includes provisions for:
- Reporting, at least annually, directly to the agency head the status and effectiveness of the security program and its controls.
- Informing any relevant parties in the event of noncompliance with the state agency’s information security policies
Resolving the Great CISO Resignation
For organizations across the public and private sectors, cybersecurity has risen to one of the top risks and has increased the importance of the role of the CISO. Most are looking to improve their work-life balance and reduce some of the stressors of the job. While many CISOs are also concerned about trends in liability and becoming headline news for decisions made on the job, requiring CISOs to appear in executive sessions with board members or state governors can help to alleviate these concerns and improve CISO job satisfaction while at the same time improving how the most senior levels of organizations fulfil their responsibilities for oversight of top risks.
The NCC expresses appreciation for the review by:
Luis A. Aguilar – Expert in corporate governance; Board Leadership Fellow of the NACD; Former Commissioner of the Securities and Exchange Commission under George W. Bush and Barack Obama; former General Counsel & Executive Vice President of Invesco, Inc..
Bob Zukis, CEO and Founder of Digital Directors Network focused on developing boardroom digital and cybersecurity oversight.
For more information, contact the author, Rick Crandall, at firstname.lastname@example.org.