Cybersecurity Risks and the Role of CISOs  By Jim Routh, Micheal W. Reese, Matthew Rosenquist and Pritha Aash

 The conversation delves into the complexities of cybersecurity management, including the responsibilities of CISOs, the implications of security breaches, and potential changes in insurance coverage. It explores the challenges faced by CISOs in negotiating contract clauses and the evolving landscape of cybersecurity insurance.



Here is the verbatim discussion:

Especially when you talked about uh you know Supply CH uh supply chain issues and Michael you talked about right nation state attackers and I mean ultimately the the audience needs to know what there were 18,000 potential victims uh at the compromise of their primary product now not all of them were victimized but uh you know Jim I'll start with you uh do you think from a risk perspective and kind of gets away from the case of fraud but just from a risk management perspective did solar winds drop the ball here uh no I don't have information to support that premise at all um what I would say is that identity access management practice in software development in a cloud first model across every single Enterprise sucks right it's inadequate insufficient not enough uh and that's every Enterprise and so we all have every Enterprise has to step up and deal with that challenge and that's not necessarily unique to solar winds yeah Michael your thoughts yeah we see that across the board right um and I know Jim used the word devop I'm getting away from devop it Dev SEC off you have to include security when you start building that product you've got to understand what that flow of data is so if something happens you're right there um so yeah I think that's the first thing we need to do is make sure sdlc that software development life cycle we know what's going on with there and we're building a software platform that's going to work and it's going to be secure but that starts at the beginning that starts at the beginning of that Dev de off I totally agree with J yeah um I'm in line with you guys the reality is were the red flags yes but that's our daily job we're dealing with red flags every single day um and so I you know I haven't seen all the data I'm you know I don't know what they knew when they knew it and so I can't say that yeah there were obvious red flags that they should have jumped on I think there were red flags but okay out of the million red flags that we deal with how did we know that this combination was you know something so severe um at the point that the security firms came to them and said we can definitively show that your product is hacked which is what happened in December uh at that point they did respond to it so I do like that fact but I'm with you guys you know it's it's it's tough especially when there's insufficient visibility insufficient controls and we do not have good security baked in as part of Product Development Across the IND industry it's not just solar winds right it's well unfortunately it's everybody this is just the state of maturity that we have another question came in here you know what do you think about a negotiated contract clause that provides protections and rights to private defense I think we talked about that a little bit um is that something that should be negotiated when you're taking the job do you think uh you know Jim and you talk with a lot of cesos here do you think that's something that cesos that are currently in the job is that something that they can BR you know bring up with the CEO or the board to kind of implement retroactively is this something feasible or is it just to you know sticky as as as Michael indicated oh can't hear you Jim I still can't hear Jim can okay then I'm gonna go to Michael on this um I I think you can negotiate anything um even if you're already in a Cil position either you're taking a new job as a ciso or you're already to SEO the worst thing that can happen is they say no so why not try to negotiate something and and again it could be kind of strange because they may say hey we want you to use this particular law firm and if they're already using it it could be a conflict but why not give it a shot I mean you're going to go to the table and ask for things you might as well yeah the worst case they can say is no right and then you've got to make a decision whether you're comfortable with that or Notre Jim typed in here and I'll read it for him um yes you should discuss this if you are a current ceso the probability of resolution is not high given the lack of Leverage yeah you know I I think he's absolutely spot on there absolutely spot on so that kind of brings us back you know when we talk about this dno and Eno and coverage do you think this may perhaps change the insurance industry do you think the insurers are going to start offering something special something unique for cesos because of this demand because of this case uh and they see an opportunity to to expand their Market what are your guys's thoughts Mike Michael I'll start with you I think Jim will probably have to type his answer um I I think it's absolutely possible I mean look at what happened with cyber Insurance there was not a market all of a sudden there's a huge market for cyber Insurance um it's going to be a tough one because we I don't think we have enough data to be able to support that right now um as we see depending on what happens with this case as we see more and more of them absolutely there'll be a market for it I mean anytime they can drum up a market they're going to uh I think Jim's still typing here oh so he says the evolution of indemn indemnification coverage originates from Delaware law based on three levels but again from a business perspective I would say generally speaking if insurance agencies and Industry you know smell blood in the water and think that they makeing Pro they can make a profit I think they would probably explore that opportunity to um increase their overall.



Risk Management Perspective:

  • While there were red flags, determining the severity of the breach amidst countless daily security concerns is challenging.
  • SolarWinds may not have "dropped the ball" but rather struggled with insufficient visibility and controls, a common issue across the industry.

Impact on Industry Maturity:

  • The incident highlights the need for improved security practices in product development across the industry, moving away from traditional DevOps to DevSecOps.

Negotiating Contract Clauses:

  • Negotiating protections and rights for CISOs, particularly in terms of indemnification, is feasible and advisable, whether when taking a new job or already in the position.
  • While there may be challenges, such negotiations can potentially enhance CISOs' security posture and provide peace of mind.

Changes in Insurance Coverage:

  • The SolarWinds case could prompt changes in the insurance industry, leading to the development of specialized coverage for CISOs.
  • Insurers may see an opportunity to expand their market and meet the growing demand for coverage tailored to cybersecurity leadership roles.

Balancing Risk and Market Dynamics:

  • The evolution of indemnification coverage, influenced by Delaware law, underscores the need for both legal and business considerations in negotiating insurance contracts.
  • Insurance agencies may capitalize on perceived market opportunities, driven by heightened awareness of cybersecurity risks and the need for adequate coverage.


The conversation highlights the multifaceted nature of cybersecurity management, encompassing risk assessment, contract negotiations, and insurance coverage. CISOs face challenges in navigating these complexities but can leverage negotiation strategies and industry trends to enhance their security posture and protect their interests. The SolarWinds incident serves as a catalyst for reflection and action, driving improvements in cybersecurity practices and insurance offerings.



Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.


Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.


Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa