OneTrust, a leader in trust intelligence, released a report on the state of trust in organizations [1aa3da32]. The report surveyed over 2500 senior business leaders and found that 70% of organizations consider trust a strategic business objective. The report highlights the challenges organizations face in establishing trust programs and processes, including getting board buy-in and involving multiple stakeholders. CISOs recognize the importance of trust due to cyber threats and potential legal liability for data breaches. Trust has evolved from a competitive advantage to a critical enabler of innovation. Building trust requires organizational transformation and unique steps for each business. The report emphasizes the need for measuring trust, securing budget, and identifying owners across the organization. Trust is no longer just about compliance, but about conducting business with ethics and integrity [1aa3da32].
This report by OneTrust adds to the growing concern about the challenges faced by Chief Information Security Officers (CISOs) in effectively communicating the need for cybersecurity measures to their boards and C-suite [d8dba8ce]. The report highlights the importance of trust and communication between executives and security teams, and suggests steps such as conducting audits, prioritizing remediation, and implementing security training sessions. It also recommends creating tailored, business-focused cyber risk reports that convert technical metrics into understandable, business-aligned metrics. Seeking allies on the board and executive team, quantifying additional benefits and cost reductions, and calculating the total cost of ownership (TCO) are also recommended. The report emphasizes the need for aligning cybersecurity funding requests with the organization's bottom line and demonstrating how the investment will help avoid significant financial and reputational losses. Additionally, a third-party risk calculation platform called 'Cyber Risk Oversight' developed by Security Innovation Corporation can assist CISOs in communicating cyber threats and their potential financial impact to the board [d8dba8ce].
However, the case of SolarWinds Corp. and its CISO Tim Brown serves as a reminder of the consequences of inadequate cybersecurity practices and accountability [8bc7275d]. The Security and Exchange Commission (SEC) has charged SolarWinds Corp. and Brown with fraud and internal control failures related to the 2020 supply chain cyberattack on the company's Orion Platform, which led to the compromise of US government departments by Russian intelligence [8bc7275d]. The SEC alleges that Brown ignored warnings about the company's vulnerabilities and failed to raise the issue up the chain of command, leaving the company systems unprotected. Brown is also accused of selling inflated SolarWinds stocks before its value plummeted. SolarWinds is accused of making false and misleading statements about its cybersecurity practices [8bc7275d]. This case has sent shockwaves through the security ranks and may have a chilling effect on hiring CISOs and expose the budget constraints of security executives [8bc7275d]. It raises concerns about the accountability of CISOs for breaches caused by resource constraints and highlights the need for CISOs to have the necessary resources and support to effectively carry out their responsibilities [8bc7275d].
The common theme that emerges from these inputs is the importance of effective communication and accountability for CISOs in the realm of cybersecurity. CISOs need to effectively communicate the business value of cybersecurity investments to secure funding from the board and C-suite [b67dfc5a]. They also need to be accountable for their actions and decisions, ensuring that adequate cybersecurity practices are in place to protect the organization from cyber threats [8bc7275d].