An interesting article about whether suing the C-Suite is appropriate or the CISO. What are your thoughts?
Surely it depends on the actual level of authority the CISO has in a particular organisation, rather than the job title. It would be inappropriate for companies to move to renaming a junior position CISO just to allow the board to sidestep legal actions.
I was about to say a similar thing @Steve-Wilme.
Collective failure can not be apportioned 100% to one individual - otherwise you're just creating scapegoats to insulate position of power that are the only ones who are empowered to change the outcome.
So the correct answer is: The Board, The CEO & The CISO.
Collective failure = collective fault.
From the way I understand it, you can name anyone you want in the lawsuit. It could be a lower level security analyst if the Plaintiff wanted to. Typically what will happen is the Org's legal team will defend the defendants if there wasn't any negligence found on their part.
I think this article brings up another good question though. Is it okay to file a law suite using the federal SEC laws following a security incident or breach? My initial reaction is no with how common place they are.
This is why it is important if you are in a CISO or senior cyber role to :
1) Effectively articulate the risk a certain vulnerability causes, and,
2) Ensure that the appropriate members of senior management are aware of it, and,
3) Ensure you have provided adequate guidance on risk reduction, mitigation, or acceptance, and,
4) Ensure that the actions taken or not taken are documented and kept for permanent records.
Just creating and filling out a risk register does not absolve you from responsibility. You need to be able to ensure that you did your due diligence in making senior management aware of the risks in the environment and that you properly documented the steps taken by the company.
@CISOScott In that case rather like a Solution Design methodology, we should then be recording all architectural and business decisions, whether they were accepted by the C-Suite or not and whether they were simply brushed under the carpet. We should also as a living document capture the Risks, Assumptions, Issues and Dependencies in a Viability Assessment. This will protect the integrity of the CISO, but also provide hard evidence, if a law suit occurs, or an employment issue arise - this is often a discipline that all Architects adopt, and I think we need to spread this to other professional disciplines as well.