{"id":3246,"date":"2025-05-20T08:01:00","date_gmt":"2025-05-20T08:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3246"},"modified":"2025-05-20T08:01:00","modified_gmt":"2025-05-20T08:01:00","slug":"4-ways-to-safeguard-ciso-communications-from-legal-liabilities","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3246","title":{"rendered":"4 ways to safeguard CISO communications from legal liabilities"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In 2019, Russian threat actors began targeting Texas-based business software provider SolarWinds. What started as a dry run to inject malware into SolarWinds\u2019 networks evolved into the boldest software supply chain hack ever<\/a>, ultimately spreading malicious backdoors to SolarWinds\u2019 blue-chip business customers and marking a miserable milestone<\/a> in cybersecurity history.<\/p>\n

The widespread damage caused by the incident caught the attention of US federal authorities, including the US Securities and Exchange Commission (SEC), which launched an investigation into the publicly traded company.<\/p>\n

In October 2023, the SEC filed charges<\/a> against SolarWinds and, in unprecedented action, its CISO, Timothy G. Brown, for misleading investors by not disclosing \u201cknown risks\u201d and failing to accurately represent the company\u2019s cybersecurity measures, among other communications-related offenses<\/a>.<\/p>\n

The charges against SolarWinds and Brown were complex, and the judge overseeing the case dismissed<\/a> most of them last year. On the eve of the RSA conference this year, SolarWinds and Brown petitioned<\/a> the court for a summary judgment to dismiss the remaining charges.<\/p>\n

The SEC lawsuit, premised on statements made by SolarWinds and Brown, serves as an object lesson<\/a> for CISOs that what they say or write in the course of their jobs could be fodder for litigation.<\/p>\n

\u201cThe US Securities and Exchange Commission\u2019s complaint against SolarWinds and one of its cyber professionals, Timothy G. Brown, is a high-profile example of the things we want to avoid,\u201d Mike Serra<\/a>, senior counsel at Cisco, said in kicking off a panel, \u201cGuarding Your Words: Legal Risks for Cyber Professionals,\u201d at this year\u2019s RSA Conference in San Francisco.<\/p>\n

While formal communications can expose CISOs to legal liability, informal and unofficial communications pose an even greater danger.<\/p>\n

\u201cSo, you should be careful with what you post online,\u201d Tim Brown<\/a> told CSO. \u201cYou should be careful about any information you share about the company you\u2019re working with or its posture. You should be careful with what things are said in public and not expand too much.\u201d<\/p>\n

Choose your words carefully<\/h2>\n

The charges against Brown shook up the CISO community and served as an extreme reminder that words matter. The legal ordeal Brown has gone through \u201cis obviously awful and thankfully rare,\u201d Matt Jones<\/a>, partner at WilmerHale, said during the RSA panel. But it illustrates how \u201cthe legal exposure is rising from just how you talk about things.\u201d<\/p>\n

Jones emphasized how outsiders, including regulators, will judge the effectiveness of an organization\u2019s cybersecurity program based on what CISOs say and how they say it. \u201cIt\u2019s critical to focus on how you talk about those things because there are many laws and many people who can enforce those laws based on the delta between what you\u2019re saying about your program and where it is.\u201d<\/p>\n

\u201cWords matter incredibly in any legal proceeding,\u201d Brown agreed. \u201cThe first thing that will happen will be discovery. And in discovery, they will collect all emails, all Teams, all Slacks, all communication mechanisms, and then run queries against that information.\u201d<\/p>\n

Speaking with professionalism is not only a good practice in building an effective cybersecurity program, but it can go a long way to warding off legal and regulatory repercussions, according to Scott Jones, senior counsel at Johnson & Johnson. \u201cThe seriousness and the impact of your words and all other aspects of how you conduct yourself as a security professional can have impacts not only on substantive cybersecurity, but also what harms might befall your company either through an enforcement action or litigation,\u201d he said.<\/p>\n

Jones also cautions against using unnecessary superlatives that can lock CISOs into positions they might not be able to defend during litigation. \u201cIt\u2019s never \u2018this is the worst\u2019 or \u2018what just happened was criminal.\u2019 That\u2019s not how you should describe anything in this area,\u201d he said.<\/p>\n

The reverse is also true: Touting how good you are can also cause trouble.<\/p>\n

Brown said that something as simple as saying, \u201cI have a very good program,\u201d can be problematic. It\u2019s better to say, \u201c\u2018My program manages a thousand vulnerabilities every week,\u2019 or whatever it is,\u201d Brown said. \u201cUse numbers, facts that are supported, and adjectives that are appropriate for description.\u201d<\/p>\n

One pitfall for any professional is humor, which, stripped from its context and environment, can take on new meanings and be used against CISOs in litigation. Even using memes of dumpster fires, for example, or typing LOL in a message can be used as admissions of guilt or to portray cavalier attitudes toward security, exposing cyber teams to even more liability.<\/p>\n

\u201cWhen we say LOL, 90% of the time you were not actually laughing out loud, but we use these very informal ways of communicating with one another,\u201d WilmerHale\u2019s Jones said. \u201cAnd that stuff shows up with regularity in cases when you have a significant cyber incident. LOL or dumpster fire is not the best way to talk about it internally because that\u2019s what\u2019s going to show up\u201d in litigation.<\/p>\n

Pay attention to the medium<\/h2>\n

CISOs also need to pay attention to what they say based on the medium in which they are communicating. Pay attention to \u201chow we communicate, who we\u2019re communicating with, what platforms we\u2019re communicating on, and whether it\u2019s oral or written,\u201d Angela Mauceri<\/a>, corporate director and assistant general counsel for cyber and privacy at Northrop Grumman, said at RSA. \u201cThere\u2019s a lasting effect to written communications.\u201d<\/p>\n

She added, \u201cTo that point, you need to understand the data governance and, more importantly, the data retention policy of those electronic communication platforms, whether it exists for 60 days, 90 days, or six months.\u201d<\/p>\n

One way to sidestep communications land mines is to communicate as much as possible in person. \u201cThe other thing that I would recommend is establishing a culture of in-person or just face-to-face communications instead of in writing in chats, IM, or Teams,\u201d Mauceri said. \u201cThat\u2019s important because that can allow you to emphasize tone when communicating face-to-face with the team.\u201d<\/p>\n

Define your role and establish policies<\/h2>\n

CISOs should consider defining their roles and establishing policies to build guardrails that minimize the risk of potentially actionable communications. \u201cIt starts with a clearly defined job description,\u201d Brown told CSO. \u201cOne that is discoverable, one that is known. It\u2019s important to understand that people don\u2019t know what a CISO does. And that includes legal folks.\u201d<\/p>\n

\u201cThat tone must be set right from the start: Here is what I do; here\u2019s what I don\u2019t do,\u201d he said. \u201cFor example, legal disclosures. I may be a part of a team that discusses disclosures, but I\u2019m not the one making a final decision.\u201d<\/p>\n

Brown reiterated, \u201cIt\u2019s important to outline that you\u2019re part of an approval team. You\u2019re not the approver. You\u2019re part of a team that is doing things. You\u2019re part of a team that\u2019s providing input to something. Ultimately, what gets posted on the website goes through marketing review, goes through legal review, comes through to the CISO potentially for some check, but we don\u2019t decide what we\u2019re going to publish or pop it on a site.\u201d<\/p>\n

Likewise, CISOs should consider writing policies, procedures, and processes for how their cyber teams should manage and communicate risks. \u201cEstablish in writing what is your expectation for teams to identify and do the internal reporting and escalating up the chain in terms of a risk escalation policy,\u201d Northrop Grumman\u2019s Mauceri said. \u201cThis is once you identify the risk, assess it, and identify it as a weakness or a vulnerability. The language that you use should be very, very specific.\u201d<\/p>\n

She added: \u201cAlways assume that this information is discoverable in litigation and audits. It is good to have something that you document when you identify risks and that you are resolving those critical system changes, critical decisions, and vulnerabilities very carefully. Be factual and neutral.\u201d<\/p>\n

Understand the law and seek counsel<\/h2>\n

Understanding some of the finer points of laws and regulations will also help keep CISO communications from veering into damaging directions.<\/p>\n

\u201cDon\u2019t be sloppy and call a cyber event an incident if it hasn\u2019t been declared an actual incident,\u201d Mauceri said. \u201c\u2018Cyber incident\u2019 is a legal term depending on what type of company you are. There is a legal definition of cyber incident in the SEC rules, as well as if you are a defense contractor or dealing with government contracts under the federal or defense acquisition regulations.\u201d<\/p>\n

To that end, CISOs should establish good working relationships<\/a> with their in-house or external legal counsel. \u201cListen to your counsel,\u201d Brown said. \u201cIf you\u2019re dealing with an entity such as the SEC, you already have counsel, either the company counsel or your own counsel. Listen to them. They\u2019re always, or usually, very experienced. They\u2019ve often been in those positions before. They will help and craft messages to be able to communicate appropriately.\u201d<\/p>\n

CISOs who lack counsel should contact experienced counsel or volunteer organizations that might help. \u201cMy legal team has probably had a call with 10 or so CISOs since [my litigation] began. Many will do it essentially just pro bono as an initial conversation,\u201d Brown said.<\/p>\n

Brown stressed that any CISO should have somebody to call for advice if they start feeling uncomfortable. \u201cThey should have a few folks they could call either through some of the organizations they\u2019re on or through personal relationships.\u201d<\/p>\n

Although CISOs might now feel confused about the risks of exposing themselves to legal liabilities, the rules might become clearer over time.<\/p>\n

\u201cWe\u2019re young as an industry,\u201d Brown said. \u201cThe first CISO was somewhere around 30 years ago. We\u2019re going through a maturity curve. People need to realize that my case and other things around it are a maturity blip. We\u2019ll get through it. We\u2019ll become stronger because of it and continue forward. But have a little patience.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In 2019, Russian threat actors began targeting Texas-based business software provider SolarWinds. What started as a dry run to inject malware into SolarWinds\u2019 networks evolved into the boldest software supply chain hack ever, ultimately spreading malicious backdoors to SolarWinds\u2019 blue-chip business customers and marking a miserable milestone in cybersecurity history. The widespread damage caused by […]<\/p>\n","protected":false},"author":0,"featured_media":3236,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3246","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3246"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3246"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3246\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3236"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}