The evolving role of the CISO and preparing for a new age of enforcement


15 minute watch, 10 minute read | April.24.2024

With SaaS and data core to almost every business, CISOs are being called on to take responsibility for not only the corporate network and compliance but also get involved in the sales process to provide assurance of digital product security, according to Kroll’s David Dunn.

Below Orrick’s Aravind Swaminathan speaks with Dunn about the new landscape. In the first video, they discuss the expanding CISO role, and the second explores how CISOs and other executives avoid the new line of fire.

From evangelizing product to collaborating with the C-suite

  • Aravind: I'm Aravind Swaminathan, I'm a partner at Orrick, Herrington & Sutcliffe in our Seattle office and I'm part of our Cyber, Privacy and Data Innovation practice group.
    David: I'm David Dunn. I'm the Chief Information Security Officer for Kroll, and I’ve been there for about eight years. Prior to Kroll, I was the Director of Incident Response for FIS Global and I had about a two decade career in law enforcement before that.
    Aravind: So, Dave, I want to start in a place that's where the CISO community is changing. So I think traditionally, the CISOs responsibility was to protect the corporate network, right? And that's obviously changing as we have more SaaS services, more products in development, where security is a big part of it. Just talk to me a little bit about that balance. I'm interested in your views on: Is it a good idea for the CISO to have both roles? Should they be split? Let's talk about the pros and cons of that.
    David: Sure. I think that it's important that a CISO has a heavy involvement in the product side. When you look at what it takes to secure an organization, it's not just the hardware and the infrastructure, it's the data. That's what so many organizations possess. Those can be the crown jewels and it’s the area where there’s the most risk both from a compliance privacy type of an area. So if a CISO isn't involved in those aspects of the business, you're going to really have a hard time.
    Aravind: Okay. So let's get a little bit deeper on that. So as you're moving from one role to the other, what are the challenges that a CISO’s going to have in going from understanding the corporate environment and then moving to the product side? And what should they be most focused on?
    David: Understanding how a business makes money. The number one thing that a CISO has to think about is: How does an organization generate revenue? Because you can secure the borders and do that at a certain price point. But to support product, to support application, you have to have an understanding of how they generate revenue so that you can support them. You have to be a supportive CISO who's engaged with the business.
    Aravind: Are there technical limitations that the CISOs of yesterday will have in making that transition, or is it more of a business aspect to their experience that is really going to be where there are challenges?
    David: I think it's the business aspect, right? You can have a very, very technical CISO, and there are many of them that are out there that are very good on the technical end. And they have a hard time taking their fingers off the keyboard. And you could have the other side of the board, which is the compliance CISO that is just worried about your ISO, your SOC certification, sometimes privacy, and then you can have the business CISO who's – a lot of times thats actually called a BISO or a Business Information Security Officer – and that person is really focused on the supporting the security needs of the business. But I think for a well-rounded CISO, these days you have to have all three skill sets.
    Aravind: Okay. So if I'm part of the C-suite, let’s just say I'm the CEO for a second, and I'm trying to make the decision on whether I wanted it to be combined into one role or bifurcated into two roles, what do you think CEOs or the C-suite should be thinking about as they're making that decision?
    David: I think the number one thing is how technical do they want to be, right? So if you're the top, if you're the C-suite, if you're the CEO and you're going to bifurcate those roles, that's fine. You can do that. But you need to make sure that you're now the coordinator of security as a CEO, right? You're going to have your infrastructure CISO and you're going to have to understand how that person deals with infrastructure. You're going to have your business CISO and you’re going to have to understand how that works. And there can be challenges with ensuring that all of the pieces are functioning well and working together well.
    Aravind: Okay. So if you want to take yourself out of that role, you can unite these two responsibilities, right? And have them live under essentially one person.
    David: I would actually call it three responsibilities. There's the compliance side, there's the business side, and then there's the infrastructure side.
    Aravind: Okay. So let's talk about the downsides of now combining those roles. Right. So what is the downside if you have that role living under one roof?
    David: It's a lot. I think the downside is finding somebody who can organize and manage that effectively because it's three very, very different disciplines that require different skill sets. Right? You've got your person that doesn’t have to be the most technical person in the world, but understands the technology and can lead and direct and empower your sort of technology or engineering side of the CISO organization. You've got to have somebody who is business-focused, who can talk to your business leaders who can talk to your product people and get them to buy into security. Like security is sales. A lot of times it's being smart enough to be able to sell security to the business unit so that they understand the importance and the consequences of not doing security correctly. And then you've got the compliance side, where you've got to have somebody who can honestly talk to auditors and give them the comfort and confidence that you guys are doing things correctly.
    Aravind: So we're seeing a lot more CISOs that have this product responsibility becoming evangelists for the product and becoming part of the sales team. Right? And so they're on the front lines talking to customers and talking about the value proposition of what the product or the service is, right? From a security perspective. So where are the pitfalls in that? What do you worry about in that perspective or what should you be thinking about if your role is going to migrate into that where you're asking actually being asked, like we want you to go talk to customers, we want you to evangelize our products.
    David: I think a big part of why that's happening is because you're seeing sort of that shift in risk from just the product owner to now the customer if they have, you know, all of the GDPR data controller, data owner, all that stuff. So customers are expecting a much higher level of security engagement in that sales process. The risk from a CISO is not getting it right. It's not understanding the product well enough, misspeaking to a customer on certain things and just, you know, sort of overdriving your headlights.
    Aravind: Yeah. And you know, look, we've seen that right, in Tim's case with SolarWinds, right? It's interesting cause the SEC complaint is so much about what did he know about the products, what was the product security? And part of the statements that Tim was making in the context of that, was about how good the product was, right? So when you look at that, do you take any lessons out of that for yourself? And what are the things that you're learning from that saying like, this is what I really need to be mindful of going forward?
    David: For me, it's the architecture of the product and making sure that my engineering teams are deeply embedded in the product development lifecycle. So for me to be able to speak about our product, the means I need to trust people that report directly to me that they've evaluated that product, that they've done the penetration testing, that it’s been architected to our standards so that I can speak to that.
    Aravind: One of the challenges is that like we've always talked about security by design and the products teams owning that function. How does that change, if at all, or because you're talking about your engineers on your team versus product engineers on the product team? How does that change? Like how do you make that work?
    David: So the way we make it work at Kroll is we have a dedicated security architecture team that reports to the CISO, and I think that it's important that they're empowered to make decisions and that they don't report to the product team so they can be, you know, brutally honest about concerns that they have without concerns that they're going to get pushed by product. You know, product generates revenue. Product is often a very huge priority. But at the same time, you've got to have somebody who can speak honestly to the CISO and say, these are what my concerns are so that I can help address those.
    Aravind: So clearly you're empowered to do that at the organization. Where does that come from? And now, think about if you're going to coach a C-suite team or even a board on how to think about this problem from a governance perspective, because a lot of what you're talking to is organizational change. What's the conversation that you're having in that regard to help them understand what is, to many, a very nuanced difference between whether those engineers live on your team or whether they live in the product team.
    David: So it's a very deliberate decision. You know, I report to our Chief Legal and Risk Officer, Ed Forman at Kroll and that is done very deliberately so that risk is managed by the head of risk for the organization and he reports directly to our board of directors. So there's nobody in I.T. or product between me and the CEO. And I think that's an important distinction. A lot of organizations will potentially have a CISO reporting into a CIO and also have product, and that can work. But, you know, it comes with challenges as well.
    Aravind: Yeah. So now put yourself in like a prospective CISO’s role or shoes. So now let's just say and I know you're not, but let's just say you're looking for a job, if you're in that role now, looking at an organization, what do you want to be thinking about when you're interviewing for that job and saying, is this the role I want? Right? There are some good roles and there are some bad roles, and I think there's a tendency for people who want to become a CISO, and are not yet at that level to want to jump at a job to get the title and to be in the role and have the responsibilities. But talk to me about what you're worried about. What are the pitfalls? What should prospective CISO candidates be asking? What should they be trying to understand to determine if it's the right fit?
    David: I think the number one thing is what is the role, right? Like we've already talked about, there are three different types of CISOs, and they can be any combination thereof. It's what your skill set is, right? If you're a technical CISO and they're looking for a compliance CISO that may not be the right fit for you. If they're looking for technical and product and you have those skill sets, that might be the right fit for you. So I think really understanding the role of the CISO as it exists. And the other part of it is the CISO role is continuing to evolve at almost every organization. So it's understanding the vision for that CISOs role. So there's a lot of organizations that may have a compliance CISO so that they want to get moved into product or they want to move into more technical engineering roles as understanding and, what the the view of the organization is of the evolution of that CISO job and function.
    Aravind: So you said you report to Ed Forman who's the head of legal, right?
    David: Yeah.
    Aravind: So now talk to me a little bit about as a CISO in those roles with all those different potential responsibilities, what are your conversations look like with your boss in this case? Right, with legal in particular, what are some of the areas that you guys are having more conversations around risk and what do those sound like?
    David: All of our conversations are around risk and it's what we've been working on most recently is breaking our risk into bigger buckets. So what are our you know, it's not the ten things, the ten individual factors, we're trying to put all of those risk factors into a specific risk. Like this is our network risk. And these are the contributing factors. This is the product risk that we have and these are the contributing factors. We're trying to distill those big bucket risks into things that we can educate the board about and then we can educate our CEO about. So we’re really working on what does that 30 or 50,000 foot view of risk look like for the organization.
    Aravind: And it sounds to me like there's a translation process that's going on here, like you've shifted from talking about the technical side to talking about it in the context of risk, right? Which and tell me if you agree or not, but that sounds like it's a lot easier for your supervisor, the person you're reporting it to, to understand that don’t understand all the technical nuances of what we've been talking about just before. Right?
    David: Absolutely.
    Aravind: And so what can CISOs do to kind of digest and make that translation? Particularly like whether it's legal or whether it’s their CEO or their board, talk to me about what they should be doing to translate the technical operational sides that they see, to risk, which is much easier, I think, to understand for the executive team or the board.
    David: Sure. And I think about it in the terms of search warrants. Back in the day when we were working on criminal cases, we would have to write a technical search warrant that a judge who is not technical can understand. And I use that analogy a lot because that's what I do every day, all day. I take all of these very technical factors and distill them into something that's quantifiable, right? I need to be able to tell the board, I need to be able to tell our CEO this is the risk in a non-technical way. We have this network risk, we have this product risk, this is what we need to do to mitigate that risk. If we don't, here are the potential consequences from reputation, from a monetary perspective. So it's really trying to take as much of the technical out of it as I can without taking all of it out. And a lot of times it's also education. So if I think about how I talked to the board four years ago versus how I talk to the board now, it is a much more tactical discussion.
    Aravind: That's super interesting to me. How has that evolved? So in two questions, right? Are boards getting more technical in their ability to understand some of the conversations that maybe three or four years ago they didn't have the tools to understand? And then how are you thinking about when you're talking to the board about those risks? How are you thinking about building those technical things so you can build that awareness? So talk to me about how your role in communicating with the board in particular has changed.
    David: So, you know, I think boards in general are getting more technical, both existing or legacy members of boards are getting more technical and then younger, newer members are coming in who are just inherently more technical within the various boards. So my role is every time I talk to them to get just a little bit more technical, I'm not trying to break down the bits and bytes and that kind of stuff, but getting them to understand some of the higher level concepts is really one of the critical things that we work on. It's important for them to make risk based decisions because there are higher expectations on boards now as it relates to cybersecurity.
    Aravind: So the SEC for public companies, right, has emphasized the need for board members to be adept at understanding that. Have you seen, and just talk about in terms of growth, they want a disclosure like who has this expertise, who has cybersecurity expertise, which is a) difficult to find on existing boards and difficult to find to get onto a board with all the other things that board members need to do. Talk a little bit about how you've seen your own board evolve, or boards evolve, do you think you really need that? Is that a really a skillset that's necessary given if a CISO does what you've just described you've done, is that really something that's necessary for the board to be able to appreciate what cybersecurity risk is?
    David: It's hard to say. I think. Yes. And no. If you have a board that is interested in the technology and then having a specific cybersecurity person, I don't necessarily think I would agree with that. But I mean, we do get technical. We talk about vulnerabilities, how our vulnerability management program has functioned, improved over time. That's one example of what we did at our last board presentation. And, you know, they understood that there weren't issues. And I think that's a correct level of sort of knowledge there. Granted, I'm not there when they have discussions and I'm out of the room. So I think having a very technical person on the board, they can evangelize, maybe answer questions if they didn't want to ask me specifically. But I don't think it's going to change either. I think the requirements for that technical role is just going to continue. And at the end of the day, it's going to be about accountability, right? When we look at there is more and more sort of demand and requirement for accountability at the C-suite, at the board level.
    Aravind: Great. Thanks Dave, I really appreciate the conversation.
    David: Absolutely.

Customers are more focused on the security risk of the products they purchase than ever before. It’s an essential part of the sales process today and a key part of the balancing act that CISOs must navigate. Moreover, it’s an area where CISOs can partner with the business to add value and build trust.

Swaminathan predicts the shift will bring about organizational changes as companies seek to support their CISOs. For example, Dunn shares that at Kroll, he oversees a security architecture team that is empowered to review product from a security standpoint, supplementing the review of revenue or other priorities of a traditional product team.

But this role comes with challenges. 82% of CISOs say they have to paint a rosier picture in front of the board and 58% report they struggle to communicate technical concepts to senior leadership, according to a survey from FTI Consulting.

About one in three senior executives believe that their companies’ CISO paints an overly optimistic picture and the same proportion perceive their CISO as hesitant to express security vulnerability concerns. There’s common ground in that.

CISOs can navigate this tension by partnering with legal and other teams. For example, Dunn is collaborating with Kroll’s Chief Legal and Risk Officer Edward Forman to distill a series of technical factors into key areas of risk. In discussions with the board, it’s a more tactical conversation, with a 50,000-foot view of risk, Dunn says. 

How CISOs prepare for a new age of enforcement

  • Aravind: I'm Aravind Swaminathan, I'm a partner at Orrick, Herrington & Sutcliffe in our Seattle office and I'm part of our Cyber, Privacy and Data Innovation practice group.
    David: I'm David Dunn. I'm the Chief Information Security Officer for Kroll, and I’ve been there for about eight years. Prior to Kroll, I was the Director of Incident Response for FIS Global and I had about a two decade career in law enforcement before that.
    Aravind: One of the things that's been happening a lot is focus on individuals’ liability in the CISO community. Recently, Merrick Garland made a speech where he said the best way to get companies to change is to hold executives liable. And that goes back to what Sally Yates said back in the Department of Justice years ago during the Obama administration. Executive accountability will get companies to change. So we've seen increased focus on executives, whether it's a CISO or a CEO or a CFO when it comes to cybersecurity. So as a CISO, I'm really interested: what keeps you up at night in that context?
    David: So I had a boss once who said bad news is not like fine wine. It does not get better with age. And I take that to heart. For me, it's about disclosure. If something's coming down that I'm concerned about, that needs to be disclosed, I need to make sure that I understand what the issue is. And then I am letting the folks who need to know whether that's legal, risk, other folks on the C-suite, what that issue is. Most problems can be solved if you address them. But I think where my concerns are is is knowing something and not saying something. That's where where I see the risk for me personally.
    Aravind: Okay. How much foundational work do you have to do to make that happen? Before you need to do it? When you think about how you have to level set with your leadership, but that's my job. That's what I'm going to do. Here's how we're going to do this together. How much foundational work goes into preparing them to have that conversation, for you to make that information available to them so they can act on it?
    David: So from a Kroll perspective, we do a lot of work with our executives so that they understand what a security incident is, what a security event is, and what risk and what the potential risk is surrounding this. So, for example, you came out to Kroll last year and we did a tabletop exercise, right? So we had our C-suite and our business leaders in a room and we walked through a security event with them. These are the things that we need to think about. This is how a situation like this would play out so that when something bad happens, it's not a crisis moment. Everybody knows what their role is and is able to function and get to getting work done.
    Aravind: How much of that is culture, right? And what is your role? What do you see your role or your responsibility or what responsibility should CISOs have in trying to set that culture?
    David: You have to have a strong relationship with your legal and risk departments and your CEO. They have to trust that when you say something, it's true. You can't pull the fire alarm for everything, right? You complain about every single thing, then they're not going to listen to you. You need to bring the big bucket items to their attention and say, hey, these are the things that I'm worried about. But the other part of it is you have to be smart enough to sort of preload those things. Right? So, hey, we're rolling out this product. Here's some potential things that we need to be thinking about. Not saying it's a problem today, but these are potential issues. So it's baby steps. You can't hold everything back. But it's really educating them on what the potential risks are ahead of time and just having an honest, open relationship.
    Aravind: It sounds like one of the things you need to do is have a common vocabulary or a common framework for saying, look, these are the risks that we care about, right? And these are the risks I'm going to bring to you immediately. These are the ones that we're going to work on resolving until they become something different. So how do you build that framework? What goes into determining what gets escalated and what doesn't get escalated?
    David: So we have a risk management program and that is where we bubble up all those risks, whether it's compliance, information, security and I.T., transactional risk, legal risk. So that's where we collect all of those sort of big bucket items that need to be on the radar of our C-suite. Right? So that's where these are the dozen things, and not more, that should be on your radar that we may come to you and say, hey, something went wrong, we need investment, you need to be aware of it. And that's how we deal with it at Kroll. There may be ten or fifteen items that contribute to that one risk, but I want them to be aware of what that big-picture item is.
    Aravind: Okay. And So when you don't have that culture, what do you do in that situation? Right? When you, even if you’ve done, tried to do the groundwork and you tried to level set but you don't still have that culture, what should you as a CISO be doing or what do you think about doing when you have one of those situations that does need to get escalated?
    David: I think one of the areas where you can really benefit is bringing in another voice. Somebody from outside your C-suite, that your legal risk team will trust and will listen to and that you've sort of agreed ahead of time this is the message that I'm trying to get across to them. Can you give it to them in your words? Right. So a lot of times hearing something from somebody outside the organization that's parroting what you're saying inside can help tremendously, whether that's a tabletop exercise, whether that's through a security briefing. You know, we've engaged with law enforcement in the past and we have relationships with them. But bringing in somebody from the outside to sort of validate what you're talking about.
    Aravind: And help magnify the message that you're trying to send, right? So that requires you to lay groundwork with them as well ahead of time and have that option available to you.
    David: A CISO is all about relationships, right? The technical CISO, especially for a mid or large size organization, really I don't see that it exists anymore. Right. That person is now your security architect. He's your director of security operations. The CISO is that bridge builder, the person that is sort of orchestrating all of the things? Yeah, you have to have technical knowledge, but you have to have trusted people that are executing the figures and the hands on the keyboard.
    Aravind: So let's flip this around for a second. You're a CISO, you're an individual at a company, if you run into the situation, let's talk about what you worry about and ask me questions where there are things that are on your mind. How do you solve some of those problems as an individual?
    David: I think some of the biggest issues that we are concerned about from the CISO space is just the changing regulatory landscape, right? So when we look at a lot of the cyber issues that are going on, it's difficult for CISOs to keep up. Right. Whether it's — we're going to see that EU AI laws coming out. Right? I guarantee you that California, Massachusetts, New York will come out with AI laws and it’s trying to keep on top and abreast of what those laws and regulations are because they will directly impact security, product security, privacy and a lot of those things. So that's an area where I'm curious on your thoughts there.
    Aravind: I think the key to that situation is really what you've already said, which is you've got to build that relationship with legal so that you understand and have access to that changing dynamic. Right. How you are keeping abreast of those laws should be coming from the legal organization. So you're partnering and looking for the issues before they happen. Right. And so a lot of folks will have a regular meeting about here's what's changing the landscape, because what you hear and what your general counsel hear sometimes are very different, right? The general counsel in an organization may not be focused on what the new cyber regulations are, but you are. The most important thing, though, is to have a conversation about that together. And you just said it's all about building relationships and you need to build a relationship on the fact that they don't always have their eye on that particular ball and you don't always have your eye on that particular ball. But if you sit down together and work through that, you can be abreast and stay ahead of it. The last thing you want to be doing, like you just said, is finding out that it's an issue only because it happened now, right? And not being ahead of the game. And so that proactive engagement is, I think, the most powerful things that individuals can do to make sure they know what the landscape is.
    David: I think the other part of it is just CISO liability. I'm curious your thoughts on that, right. When I make a decision, when I talk to legal, risk, whatever, or when I talk to our board. I do it from a position of, you know, honesty and ethics, right? I try my very hardest to present them with the best information that I can. But we're also in an era now where we've seen CISOs convicted in criminal federal court. So what are your thoughts or recommendations for the CISO?
    Aravind: So I think you started this, which is like my job is about making sure there's disclosure, I'm escalating issues and I'm getting them out there. So I think that's the first foundation that you have to have and you have to have that common understanding that, that's what you're actually going to do. In terms of thinking about you as an individual, right? It's having process built behind that and having a common understanding. So we talked about that framework, like when am I going to escalate issues and raise them to you? Let's have a common understanding of what that is. The most important thing is that in the early days of an incident, what's in your best interest and what's in the company’s best interest, they’re the same thing. And you have to remember that. It's not you against the company. It's not you ratting on the company or anything like that. It's exactly the opposite. If you have an established process as an organization for here's what we're going to do, Here are the incidents that matter, Here’s how we're going to escalate it. Here's what we're going to escalate, here's when and here's how we're going to deal with it andyou're following that process that's good for you and your organization. I think that's the key to understand: if you are unified in that approach and you understand that what's good for me is good for the company, you're really going to have an easy time of navigating these pitfalls. And so even notwithstanding, we still see individuals held accountable for it. But when you're in line and following that process, that's really your first line of defense.
    David: True. Makes sense.
    Aravind: Awesome, thanks Dave.
    David: Thank you.

The CISO community has been on high alert since the SEC brought an enforcement action against SolarWinds and its CISO.

As regulators set their sights on information security and technology executives, disclosure is the first line of defense, Dunn shares. Organizations are looking to CISOs to shape a culture of trust and transparency and build a strong network of relationships (internally and externally), as part of developing security risk management and response processes, according to Dunn.

But CISOs need more support.

Miscommunication persists and nearly half of executives and CISOs report their priorities are misaligned, according to a recent survey from FTI Consulting. However, virtually all (98%) executives support more training for CISOs, particularly around communication.

Swaminathan recommends regular touchpoints between CISOs and legal to ensure alignment and keep up with the fast-moving regulatory compliance landscape.

Tune in for a deeper dive on navigating the evolving security and enforcement landscape as a CISO.