Executive Missteps: On Deadly Ground

This is the third installment in an ongoing series called "Executive Missteps" on how business leaders, often unknowingly, sabotage their organization's cybersecurity...and how not to be that person. Each is inspired by a true story (or several). Find the first installment here, and the second here.

It's been a busy month for our CEO as the company works on wrapping up a complex merger. She's buried in financial reporting when her assistant informs her that the CISO needs a meeting...now. This CISO has been around for a few years, and things always seem to run smoothly. He's never asked for a meeting outside of the CEO's quarterly cybersecurity update before.

The CISO comes in and explains to the CEO that he's declared a cybersecurity incident after discovering an intrusion on systems that belong to the company they just acquired... and that the monitoring the company claimed to have in place, and which is a regulatory requirement, doesn't actually exist. It will be difficult and slow work to determine the extent of the breach. Furthermore, the new CTO -- our CISO's direct supervisor, who was brought over from the acquired company -- has been bogging down response, undercutting the CISO's efforts.

The CTO has taken the position that an intrusion alone does not constitute an incident until it's been confirmed that data loss occurred. He's not allowing non-cybersecurity IT staff to assist with determining the extent of or remediating the breach. He doesn't consider the inadequate monitoring to be an emergency. Our CISO and his team cannot determine whether data loss occurred--their experience says it probably has--but they don't have the data or the access needed to continue investigating. The CISO is also concerned about security risks and regulatory liabilities related to inadequate monitoring more generally.

The CEO steps in to ensure that the CISO's incident response efforts aren't stymied by his direct supervisor, and asks the CISO to update her directly at least twice daily until this incident is over. She also wants to be copied on the incident report when the CTO receives it.

Over time, the CEO learns that she's dealing with a perfect storm wherein several different failures conspired to crate an existential threat to the company's continued survival:

• The M&A process did not discover serious cybersecurity risks lurking in the to-be-acquired company at a time when the acquiring company could have put on the brakes, demanded remediation, or stepped out of the deal if remediation wasn't possible. This just wasn't something their M&A process was designed to do well.

  
  

• Having the CISO report through the CTO worked fine for this CEO's former team. She had an outstanding CTO who managed the inherent conflicts of that arrangement not just ethically, but deftly. However, the previous CTO retired during the M&A process, and her replacement wasn't that kind of outstanding. Putting the acquired company's CTO into the newly-merged organization's CTO role, over the CISO, put him in a perfect position to minimize the problems he was responsible for in his previous role. He increased the company's cybersecurity risk by doing so.

  
  

• Post-acquisition, the CISO didn't have a way to discover flaws in the acquired company's IT infrastructure until the merger of IT infrastructure had begun. Thus, the acquired company's IT problems were now providing a new attack surface, riddled with holes, through which attackers could access the acquiring company's previously very secure assets.
  

• The acquired company had been mis-reporting the state of their cybersecurity program to both their insurer and regulatory bodies for years. Now the merged company bears the possibility of losing access to cyber insurance, and/or facing steep regulatory penalties, because of those actions.
  

• The reorganization that naturally follows M&A had favored IT employees from the acquired company, which had lower overall IT costs and earlier AI adoption than the acquiring company. After this incident, the CEO realized that some amount of the acquired IT employees were probably spreading the culture of shoddy work and misrepresentation that they've lived with their old company, and she'd laid off more trustworthy IT workers from the acquiring company. She doesn't know exactly where the personnel problems lurk.

Creating a Culture of Security

M&A -- mergers and acquisitions -- processes tend to look closely at financial and regulatory risks, but not cybersecurity risks. When a technology assessment is done, it's usually done by an IT leader without a background in cybersecurity, and focused on IT costs and the potential difficulties of integrating two disparate infrastructures. Including a cybersecurity leader early in the M&A process, and empowering them to dive into the cybersecurity program with the same rigor used when your accountants look at the potential acquisition's finances, can prevent a lot of problems, and at least ensure that the respective boards and chief executives understand the cybersecurity risks and opportunities in the proposed M&A.

Avoid making your CISO a direct report to the CTO. Think of how a CFO provides a natural check on a growth-focused COO. The COO's role and incentives are all about more/faster/better, and the CFO works directly with the CEO to ensure than the financial risk is within what the organization can tolerate. A CTO and CISO should have a similar relationship.

Ideally, the CISO and CTO should be peers, but that is not always possible. A CEO may be overloaded with direct reports. Some boards aren't ready to okay another true C-suite salary for the sake of cybersecurity. There's also a shortage of CISO candidates who are prepared to operate at that level, especially in the "long tail" of companies. It's often more lucrative to be a senior cybersecurity engineer or manager in a Fortune 500 company than a CISO in a mid-sized company, so mid-sized companies must often choose among candidates who are strong on the technical cybersecurity side, or the executive side, but weaker in the other. In these cases, the CISO should report through someone with a risk-limiting mandate, such as the CFO. Remember: the most important aspect of a good CISO's role is not "tech stuff", it's limiting risk.

Finally, the company in our story lucked out because its former CTO ensured that the CISO had a relationship at the CEO level and even the board level. This is, sadly, not the norm for most. If the CISO hadn't felt that he could go over the CTO's head, the CEO would not have found out about this problem until the company was deeply in crisis. Additionally, this particular cybersecurity incident became big enough to rise to the board's level. The last thing a CEO wants is to explain that a major incident is ongoing, and the person here to explain it to the board is someone they have never met and have no reason to trust.

Wrapping up

M&A entails a number of cybersecurity risks. Those risks can be mitigated by a proactive approach to cybersecurity from the start of the M&A process, and a CISO who is well-positioned to remain independent from the CTO or CIO. Additionally, while not a cybersecurity control per se, the fact that the CEO made the roles of that CTO and other executives brought over from the acquired companies interim was a huge risk limiter. An interim CTO is faster and easier to get rid of than a "real" CTO, and doesn't look like a crisis to shareholders or the board. This allowed our smart CEO to right the ship more easily than she could have otherwise.