Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Can a CISO Have Job Fairness?

This is an intriguing thought as the job of the CISO is one of the most difficult in any corporate environment. They serve as the protectors of corporate data and must be skilled not only in crisis management and communications, but also be an expert in the most sophisticated technology, privacy, and legal matters as well. It is a job that inherently is held to the highest ethical standards in organizations. The situation is complicated, not glamorous and one of the most stressful white-collar occupations where the tenure is short averaging 2-3 years in duration. Not only must the CISO be held accountable for protecting outside hacking threats but internal ones where the position is often involved in investigating domestic criminal activities with deliberate data leakages. Moreover, they are called upon in criminal litigation depositions and serve as expert court testimony witnesses.

This is the problem organizations struggle with today on the reporting structure, and many times corporate board members and senior executives consider the role within the domain of technology. That thinking is far from the truth as the CISO spans many disciplines and skill sets required to be successful in the position. As eloquently put by David Jordan, the chief information security officer for Arlington County in Virginia quoted in an article:
“We’re like sheep waiting to be slaughtered, we all know what our fate is when there’s a significant breach. This job is not for the fainthearted.”
I often have said who in their right mind would want a job like that, if that is not a dead-end career, then I am not sure what is. Many CISOs I know took the hit or left on their own taking lesser positions because of the total unfairness the job has.

Indeed, this article will focus on providing the CISO certain police powers or whistleblower protections in organizations. Security infrastructures deployed today enforce corporate governance policies and regulatory compliance, provide detailed audit trail logging in addition to real-time monitoring and event alerts. So isn’t these realities a policing act that has enforcement practices?

I will be discussing the following:

  1. Police Officers and the CISO Toughest Jobs on the Planet
  2. SOX Whistleblower Protection a CISO’s Trump Card

Police Officers and the CISO Toughest Jobs on the Planet

Government police power is defined as the capacity of the states to regulate behavior and enforce order within their boundaries for the betterment of the health, safety, morals, and general welfare of its inhabitants. This delegation of power if afforded by the U.S. Constitution and subsequent provisions written in the tenth amendment. States can compel obedience to these laws through any measures they see fit, provided these measures do not infringe upon any of the rights protected by the U.S. Constitution or in the various state constitutions, and are not unreasonably arbitrary or oppressive. Methods of enforcement can include legal sanctions, physical means, and other forms of coercion and inducement.

The issues with the common scapegoating CISOs seem to have thrown in their faces when breaches occur is in fact very similar to what a typical police officer faces on the streets. CISOs do not meet a physical life or death circumstance but encounter career-ending situations because, in today’s environment, breaches are an extremely high profile and publicized event. Law enforcement officers arguably have one of the toughest jobs, and the same goes for the CISO. The law officers alone are charged with keeping the streets and neighborhoods safe from crime. The CISO protects the data of an organization, and in some organizations, physical security is also part of the job, the convergence of both responsibilities, hence the title of CSO. The CISO protects an organization’s data, its very existence and the livelihoods of all employees and contractors who are dependent on it every day.

The police officers put their lives on the line where life and death decisions are in the job description. Because of the enormous responsibility that comes with a badge, law enforcement officers are held to a much higher standard of personal and professional conduct as they should be. This higher standard and increased visibility render police officers vulnerable to false accusations from the criminal element and others in a society whose sole motivation in making these allegations is to disrupt law enforcement activities. The CISO is also inherently held to that same high standard and face the same accusations from senior leadership and on down the food chain of the organization even when it is no fault of their own.

The legal protections afforded all citizens, including suspects and convicted criminals, from illegal and improper police procedures, are provided by the U.S. Constitution as well as Federal and State statutes. Moreover, most law enforcement agencies also implement a wide array of departmental processes that govern the conduct of their officers during traditional police activities. Unfortunately, rank-and-file police officers are sometimes subjected to abusive and improper procedures and behavior on the part of the very departments or agencies they serve. In some instances, the fundamental rights that most citizens or employees would take for granted are either denied or simply unavailable to police officers.

In a startling number of jurisdictions throughout this country, law enforcement officers have no procedural or administrative protections whatsoever; in fact, they can be, and frequently are, summarily dismissed from their jobs without explanation. Officers who lose their careers due to administrative or political expediency almost always find it impossible to find new employment in public safety. An officer’s reputation, once tarnished by the accusation, is nearly impossible to restore.

For the CISO and police officer, the similarities are profound where their livelihoods are at stake, both need fairness and protections in the work they do.

SOX Whistleblower Protection a CISO’s Trump Card

In one of my previous articles, I discussed how HIPAA and SOX can land the CISO in the federal slammer, but SOX will serve as the CISO’s trump card a double-edged sword.

The Sarbanes-Oxley Act of 2002 (“SOX”) contains significant protections for corporate whistleblowers. Given its various civil, criminal and administrative provisions, the statute may be considered, over time, one of the most critical whistleblower protection laws.
Unlike most whistleblower laws, the SOX’s whistleblower protection provisions are not limited to providing a legal remedy for wrongfully discharged employees. In addition to containing employment-based protections for employee whistleblowers, the law includes four other provisions directly relevant to whistleblower protection:

  1. The law requires that all publicly traded corporations create internal and independent “audit committees.” As part of the mandated audit committee function, publicly traded corporations must also establish procedures for employees to file internal whistleblower complaints and procedures which would protect the confidentiality of employees who file allegations with the audit committee.
  2. The SOX sets forth new ethical standards for attorneys who practice before the Securities and Exchange Commission (SEC). This law and the SEC’s implementing regulations require attorneys, under certain circumstances, to blow the whistle on their employer or “client.”
  3. The SOX amended the federal obstruction of justice statute and criminalized retaliation against whistleblowers who provide “truthful information” to a “law enforcement officer” about the “commission or possible commission of any Federal offense.” This provision of the SOX was not limited in its application to publicly traded corporations; it covers every employer nationwide.
  4. Section 3(b) of the SOX contains an enforcement provision concerning every clause of the SOX. This section states that “a violation by any person of this Act [i.e., the SOX] . . . shall be treated for all purposes in the same manner as a violation of the Securities Exchange Act of 1934.” This section grants jurisdiction to the SEC to enforce every aspect of the SOX, including the various whistleblower-related provisions. It also provides for criminal penalties for any violation of the SOX, including the whistleblower-related clauses.
It is conceivable if in the event of a significant breach CISOs may arm themselves with compelling evidence that he/she was wrongly discharged when they have warned board members and senior executives of issues. Although to date I am not aware of a CISO who was a plaintiff or defendant with their former employer in litigation, I am aware of hush money being paid to a former CISO who is anonymous. This individual implicated high ranking executives for coercing IT administrative staff to gain access to data inappropriately, the monitoring systems triggered the event. Under the threat of a publicized lawsuit and because their legal counsel intervened stating the CISO was fulfilling the job responsibilities, they released the person with an unusually large severance package indicating an involuntary “layoff” as the reason for termination.

For the CISO to be a valued force within organizations, they need to be protected and treated fairly. In many aspects, they are bullied and left to sink or swim in a boat with holes below the water line. The CISO job suffers the same unfair issues with law enforcement which makes their jobs extremely difficult, and when unfairly jettisoned, they will have a difficult time becoming gainfully employed in their careers.

The law officer does have one advantage, the police power afforded by the U.S. and state constitutions while the CISO has no shield other than the whistleblower SOX provisions. Even with that, the burden of proof is on the accuser so the CISOs must be on their toes and have their ass well covered.