The cyber threat landscape is ever-evolving, with criminals employing increasingly sophisticated tactics to infiltrate and exploit businesses. But what if the very people tasked with protecting organizations against these threats are engaging in criminal behavior?
Join us as we hear industry veteran Tom Cornelius explore the current issues within the cybersecurity landscape.
Who is Tom Cornelius?
Tom is a Senior Partner at ComplianceForge, Co-Founder of the Secure Code Alliance, and Founder of the Secure Controls Framework. He helps organizations establish order by aligning with business objectives and applying industry-recognized cybersecurity and data privacy policies.
Tom's Hot Take
Many CISOs should be classified as cyber criminals. From wire fraud to False Claims Act violations, many CISOs are guilty of serious crimes that I believe qualify as cybercrime.
Security leaders are up in arms about the SEC charging SolarWinds' CISO with fraud. Some claim he was one "bad egg," and his actions don't indicate a wider problem. I disagree. I believe many CISOs are guilty of crimes, including:
- Fraud. By publicly stating in writing that their company maintains a certain level of cybersecurity (for example, compliance with a framework) when they know it doesn't, CISOs are committing fraud. By keeping their jobs, they are financially benefiting from fraud.
- False Claims Act violations. By knowingly submitting false claims to the U.S. government, CISOs are violating the False Claims Act. Usually, this happens when a CISO claims their organization complies with NIST 800-171 when they know it doesn't.
- FTC Act violations. CISOs who knowingly lie about their organization's security profile are considered to be engaging in an unfair business practice, which is a violation of the FTC Act.
Some people will argue that a lot of false claims are made unknowingly. I believe in many cases, CISOs are signing off on claims they know perfectly well aren't true, and both the individual and their organization are benefiting financially from those false claims.
So why does this happen? First, lax enforcement of the law has created an environment where CISOs are expected to lie because they (and their superiors) know they won't be prosecuted. However, SolarWinds and other high-profile cases have proven this is already changing.
Many CISOs simply acquiesce to the business. They don't want to be seen as blockers, so they "go along to get along," signing off on false claims to avoid negative outcomes for the organization and themselves. Bluntly, this is a case of some CISOs simply being weak-willed. You won't find many CFOs attesting to false claims because they understand the implications. Many CISOs appear to believe it's OK to misrepresent their security profile because it's "not being prosecuted." But keep in mind:
- There WILL be more prosecutions. The DoJ has announced it will be prosecuting more False Claims Act offenses in the near future, and other agencies are making similar noises.
- Employees with evidence of False Claims Act offenses are likely to file a Gui Tam claim against their employer because they stand to receive very high damage settlements.
Ultimately, CISOs must understand the Implications of the claims they make and start standing up to the business to ensure they can make truthful claims about their security posture.
Get the Full Cybercrime Story
In our latest report, we provide a detailed analysis of the year's top evolving cyber threats—without unnecessary fluff. The findings implore the critical need for robust cybersecurity measures and how cybersecurity professionals combat the ever-evolving threats.
Discover:
- The 4 primary monetization strategies driving cybercriminal behavior.
- The rise of BEC scams, ransomware, and supply chain attacks
- The growing role of AI in enhancing social engineering
- Industry analyses and predictions from renowned cybersecurity veterans
Don't miss out on this essential guide to staying ahead of evolving threats. Download the report!
April 16, 2024