ARTICLES

CISOs, Partnerships and the Solarium Commission

I knew that Mark Weatherford was a big believer in cyber security partnerships. So I asked for his thoughts on the U.S. Cyberspace Solarium Commission Report, which was created through unusual partnerships—and will need more to reach fruition.

The commission was chartered in the 2019 National Defense Authorization Act (NDAA), and its report was written after it conducted more than 300 interviews. Released in March, the report included dozens of legislative proposals. The co-chairs, Angus King (Independent-Maine) and Mike Gallagher (R-Wisconsin), along with the twelve other commissioners on the bipartisan panel are hoping that at least some of their recommendations are folded into this year’s must-pass NDAA. The splashiest calls for the creation of a national cyber director position.

“I applaud the government,” Weatherford said of the Solarium report. “This is a good report, and a lot of good people worked on it.” He recognized the time and commitment that went into producing it. We can benefit from the suggested solutions, he said, and the layered deterrent strategy is particularly useful.

“But now it needs to be implemented,” he noted, and for Weatherford that’s a very big challenge.

Weatherford could have been tapped as a commissioner himself. He has a similar background to many of them. His government work began in the military (he led the Navy’s Computer Network Defense operations) and was later appointed as the first deputy under secretary for the U.S. Department of Homeland Security. Before that he was the chief security officer of the North American Electric Reliability Corporation (NERC), where he directed the critical infrastructure and cyber security program for electric utilities across North America. He also served as the chief information security officer for Colorado and then California (where he was the state’s first).

One of the problems with the Solarium Commission report, Weatherford said, is that the private sector is barely aware it exists. There was little coordination with, and few contributions from, private sector security people. “How many Fortune 100 companies were involved in the report?” he asked. “Any?”

Only one commissioner was plucked from the private sector: Tom Fanning, CEO of Southern Company, the Atlanta-based gas and electric giant. It’s currently ranked 126 in the Fortune 500. The other commissioners are academics, politicians, current and former government officials and military officers. But no one who works in private sector security.

Why is this important? In Weatherford’s view, public security officials don’t really understand their counterparts in the private sector, who face challenges every day. “They’re in the trenches, fighting hand-to-hand combat with the bad guys on a daily basis,” he said. The public sector doesn’t always grasp the impact their decisions and regulations have on private sector organizations.

And the report doesn’t engage with mom-and-pop businesses to help them implement solutions. Fortune 100 companies have lots of resources, and officials on Capitol Hill are eager to help them. But Fortune 5000 companies don’t get those invitations and don’t have near the same resources, he said.

He recalled Iran’s attacks on U.S. banks back in 2011 and 2012, when he was at DHS. The big banks got help from the government. But the small ones were largely on their own. If the Solarium Commission’s work can’t help the government do better than that, it’s got a good chance of becoming “shelfware,” he predicted.

What about the politics? Does he think this bipartisan commission can push through its proposals? It’s a good sign that they were able to work together, Weatherford allowed. But it’s an open question. Their initiatives could be taken over by bureaucracy. If legislators create a new organization to implement the cyber security proposals, thousands may be hired and billions spent and it still may not reach the private sector. That’s what he worries about, he said.

Have CISOs Earned a Seat at the Table?

I turned to other, more familiar partnerships, like the ones between security teams and lawyers. Has he seen signs of progress there?

He has, he said. New privacy regulations like the EU’s General Data Protection Regulation and the California Consumer Privacy Act have forced general counsel to work closer with chief information security officers. And when they’re having conversations about how the company is running, he continued, security laws should be as much of a topic as technology is. GCs get that, and Weatherford feels that good CISOs do, too. Given the global nature of so many companies, they need to work well together, he added.

The last partnership we talked about was the one between CISOs and CEOs. It isn’t easy to hire CISOs these days, and it can be even harder to retain them. Weatherford’s advice to companies in the hunt: “You have to take care of your people. You have to make them happy in their jobs.”

A big part of that, he said, is giving CISOs the authority to implement security programs. He knows of three security officers who are ready to leave their jobs because they were promised that authority when they were hired, and denied it when they arrived. They were told it was a budget problem. Their fear is that they won’t be able to protect their company from attack, and then will be blamed for the result.

There’s another side of the equation, Weatherford pointed out. “If we want a seat at the table, we need to understand the business as well as security.” He recounted a board meeting to which he was invited to give a talk on security. After he finished, the company’s CISO gave his own briefing on security, which included specific recommendations. A board member asked the CISO how his suggestions would affect revenue generation. The CISO’s attempt to answer made it clear, Weatherford said, that he didn’t know how his company made money. It was so clear, in fact, that the board member asked him that question point-blank.

Are CISOs given their due? Sometimes, Weatherford said. But too often they’re still viewed as IT geeks. They are not acknowledged for contributing something “that’s critical to the business.” And many simply don’t have the business background to make that contribution. They need knowledge gleaned from experience in the security world and in the business world.

The security team doesn’t generate revenue in most companies, Weatherford said, but neither does the legal team. They’re not expected to. But to be most effective, CISOs and GCs need to understand their companies’ businesses, communicate clearly what they know and inspire confidence in those with whom they work. To boil it down to the simplest terms, Weatherford said, “The job of the CISO is to inspire confidence.” That includes the confidence of the CEO, the board, the general counsel, the chief information officer and the entire security team. Those that have that, he added, deserve a seat at the table.