Evolving Roles and Protections for CISOs in Cybersecurity Leadership By Jim Routh, Micheal W. Reese, Matthew Rosenquist and Pritha Aash

The discussion addresses the shifting responsibilities within organizations regarding cybersecurity disclosures, particularly in the context of CISOs and their relationship with other senior officers. It explores the possibility of transitioning accountability for cybersecurity disclosures away from CISOs to other senior officers like the Chief Trust Officer, CIO, or CTO.



Here is the verbatim discussion:

To you do you think that the responsibility for all this should transition away from the ceso and it almost sounds like hey you get pushed down to the Kids Table Right and one of the more senior officers right that Chief trust officer or that CIO or um CTO or whomever it is uh that they should own the you know accountability and the final say for cyber security disclosures in those forms we talked about right what do you think Michael um I I think this could be a division in the road right here because we've always and I gotta be careful how I this to that we've always said look if a ceso is reporting to a CIO it's a very Gray Line right it's almost like the fox guarding The Henhouse um if you have an issue within your it department where they're not disclosing something and you as AO report to that CIO and the CIO is not reporting it then you another question came in here you know what do you think about a negotiated contract clause that provides protections and rights to private defense I think we talked about that a little bit um is that something that should be negotiated when you're taking the job do you think uh you know Jim and you talk with a lot of cesos here do you think that's something that cesos that are currently in the job is that something that they can BR you know bring up with the CEO or the board to kind of implement retroactively is this something feasible or is it yeah it's a great Point great Point Michael uh any thoughts on those those five areas any anything resonate with you no I agree the only one I was going wow this could cause some issues would be having your own attorney um but in this case I I believe if you go back and read some of the transcripts um they both have the same law firm as CLA Piper so they're being represented by the same attorney at this point which may be okay in this particular case um in the Uber case it it would not have worked out to have the same attorney or the same Law Firm for both it's definitely a conflict of interest so you got.



Division of Responsibility:

  • There's a suggestion that CISOs may be pushed down to the "kids' table" in terms of cybersecurity accountability, with other senior officers taking on greater responsibility.
  • The idea is floated that senior officers like the Chief Trust Officer, CIO, or CTO should have final say and accountability for cybersecurity disclosures.

Implications for Organizational Structure:

  • Concerns arise when CISOs report to CIOs, potentially leading to conflicts of interest and challenges in disclosing cybersecurity issues.
  • The discussion touches on the importance of organizational structure in facilitating transparent and accountable cybersecurity practices.

Negotiating Contract Clauses:

  • Negotiating contract clauses to provide protections and rights to private defense, including the appointment of personal attorneys, is discussed.
  • While having individual attorneys may pose conflicts of interest, the choice of legal representation could vary based on specific circumstances.


The conversation concludes with agreement on the importance of clarifying and potentially redefining the responsibilities of senior officers regarding cybersecurity disclosures. The possibility of transitioning accountability away from CISOs is considered, with a focus on organizational structure and the need for clear contractual provisions to protect individual interests. Overall, the discussion underscores the ongoing evolution of cybersecurity governance and the importance of adaptability in organizational structures and practices.



Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.



Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.




Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.




Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.




E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa