When CISOs Are Called to Testify in CourtroomsUnilever CISO Kirsten Davies on Dealing With Legal Risks and Liabilities
The guilty verdict against Joe Sullivan, former chief security officer of Uber, has generated much discussion about CISO accountability for disclosures of breaches. How should CISOs be preparing to deal with this new responsibility? Kirsten Davies, CISO at Unilever, said communication is crucial.
Davies advised CISOs to engage with their stakeholders, the legal department, the HR department and the leadership executive team to make sure they are making holistic decisions for the organization.
"CISOs have different relationships with law enforcement around the world, in different forms of law enforcement as well, but we need to be mindful of who we're talking to in the midst of an incident," Davies said.
Success ultimately boils down to using the available information to make the best possible choice when an organization makes a decision about breach reporting.
"Along the way, there will be new inputs of information and there will be new stakeholders to engage - whether it's regulatory, law enforcement or internal stakeholders. And we just have to be making the best decisions that we can with the information that we have at the time," Davies added.
In this video interview with Information Security Media Group at RSA Conference 2023, Davies also discusses:
- A CISO's legal risks and liabilities;
- How CISOs should negotiate their recruitment terms;
- Communicating with cyber insurance providers and brokers.
Davies has expertise in business enabling, risk management, data privacy and IT and digital transformation. Her hallmarks include transformative vision casting and strategy setting, operational and organizational excellence, and enterprise enablement. Davies has worked across industries including manufacturing, finance, energy and telecom.
Rahul Neel Mani: Hi there, my name is Rahul Neel Mani, vice president, Information Security Media Group. And in the studio today, I have Kirsten Davies, who is the global CISO of Unilever. Welcome to the studio, Kirsten.
Kirsten Davies: Thanks very much for having me.
Neel Mani: Great. And we are going to talk about a very offbeat topic today, which is fighting legal risks and liabilities.
Davies: Excited. Yeah.
Neel Mani: So considering the new breach notification norms and other compliances, what are a CISO's legal risks and liabilities? And how well- or ill-equipped the CISOs are?
Davies: It's a great question. I think that this has been evolving over the last few years, and especially most recently, with different regulatory environments, as you've mentioned, but also different issues that we've seen that the CISOs have been facing. I think it does go back to some of our primary work that we need to be doing, which is always socializing the risks to a variety of different stakeholders, both across our network within an organization and also upward. So that we're not the only ones that are taking decisions; we're not the only ones that are feeling the ramifications or the pressure even of these decisions. So, I think what we've seen recently in legislation, Capitol Hill in United States of America, CISOs needing to testify and speak to what their actions were during specific incidents, breaches, whatever those cyber incidents were. So, it is up to us to be able to make sure that we're engaging with our stakeholders, the legal department, sometimes the HR departments, always across the leadership, executive team, as well, to make sure that we are taking the best decisions for the organization. And in partnership with the leadership of the organization, I think we've seen what happens. Also, when that doesn't happen, not only do we not have a holistic decision-making set, but we can miss big things. Different CISOs have different relationships with law enforcement around the world, in different forms of law enforcement as well. I think we need to be mindful of who we're talking to. And when we are talking to them in the midst of an incident. And then realizing that anything and everything, whether it's in email, it's on your chat lines, your teams, your WhatsApp, whatever it is, all of that is discoverable. And we want to make sure that we're making the right or the best decisions with the information that we have at the time of the decision making. And at any step along the way, we have new inputs of information, we have new potential stakeholders to be engaging with whether it's regulatory, law enforcement, internal stakeholders, things like that. And we just have to be taking the best decisions that we can with the information that we have at the time.
Neel Mani: So that means that CISOs have to evolve from merely a technology role and learn new traits, isn't it?
Davies: That's right, we're risk executives. At the end of the day, I know, many evolved out of deep technology roles. And we still need that deep technological skill set within our ranks. However, as CISOs, we have an increasing responsibility to be engaging with our business colleagues. I mean, we are a business executive at the end of the day. So we must be able to engage on the risk discussions that are there taking into consideration operations, markets, credit, technology footprints, digital footprints, data everywhere, all of these different types of things. We need to be able to translate very complex topics in the language that our business colleagues can understand. So again, we together can take the best decisions for the organization.
Neel Mani: So, breach notifications and compliances aside, when it comes to their employment contract, how well aware should a CISO be so that they don't get into a legal tangle?
Davies: Well, that would be the million-dollar question, wouldn't it? Or the million-euro question is. First of all, it's good to have a contract. Yes, let's have a contract for CISOs. Because our terms and conditions of employment, the best level at which we can negotiate those upfront is what we will eventually be subjected to down the road. We are still the ones who are very much accountable and responsible for an area of risk that many organizations don't fully understand. So we need to have wide-eyed awareness what we're walking into. We need to have open-handed and open-hearted conversations with the recruiting companies and with our hiring managers, regardless of who that is that you eventually do report to in an organization, and we do need to make sure we have things set up in advance. Things like what budget is it that we're looking to do? What type of transformation or growth or scale down or scale up? What is it that the organization is looking to have us do? What size of team do we have? What is our reporting line within the organization? And then what if any of those things change due to a business change? Divestitures or acquisitions, these things happen all of the time. We need to have those triggers within our employment agreement that say, look, if the role of the CISO changes, if the reporting line changes, if there is no longer budget, or the budget is cut, or the budget isn't growing at the rate at which it should to address the attacks/the threats that are out there, we need to be able to have the ability to have those very deep and often difficult, courageous conversations, as we call them. We need to be able to have those courageous conversations not only with our employer as in the manager to whom we report, but also the leadership executive team and the board team. Because it's a deep and heavy responsibility that we carry that we also need to be bringing forward on behalf of the organization itself.
Neel Mani: Great. Another important point is that CISOs have a very cursory engagement with the cyber insurers. You think CISOs fully understand it yet? Or what should be a CISO's KPIs for cyber insurance?
Davies: Yeah, I think we have a very intimate relationship with our cyber insurance providers and our brokers. It is part of the CISO role; it is part of the risk equation that we take into consideration, depending upon the appetite of the organization, the risk appetite - again, why I say that we're risk executives. We're constantly taking these conversations in these decisions. It's a very important subject to discuss. Insurance has shifted tremendously across the last few years with the advent of ransomware and the payouts of ransomware by insurance, we've seen insurance providers shift their posture. I think that the industry is normalizing a bit, and we do need to be much more intimately involved in those discussions. I think the more candid and the more open we can be with our brokers and providers, the better - not expecting that they demand that I put everything in writing, because that's not wise or safe, is it, to have in writing what our posture is all over the place. But having those conversations and being able to openly correspond with the insurance providers to say, look, what we're going to do is have KPIs around reporting times - around disclosure, around what is a soft disclosure versus a hard disclosure. Do we want to be in those strategic partnerships with our insurance providers? That I'd say yes, we would want to if they're part of our risk equation. We do need to be having those open conversations with them.
Neel Mani: Excellent talking to you, Kirsten! Thank you very much for coming to our studios today.
Davies: Thanks for having me.
Neel Mani: So that was Davies at ISMG studio. My name is Mani. Thank you for watching.