Negotiating Private Counsel Coverage as a CISO By Jim Routh, Micheal W. Reese, Matthew Rosenquist and Pritha Aash

The discussion revolves around the responsibilities of CISOs and other senior officers regarding cybersecurity disclosures, the potential transition of accountability, and the feasibility of negotiated contract clauses for cybersecurity protections.


Here is the verbatim discussion:

Looking at that in play and I'm sure your attorney would let you know that know those are those five are great I mean that's that's what we need in order to move forward yeah I would concur the whole private attorney thing I like it and you know my advice to to cesos is it doesn't hurt asking I mean you're gonna have to be bold anyway start being bold when you're negotiating for the position you want to make sure it's covered um it doesn't hurt to ask to to float the idea uh and depending on the organization you may want to push harder right to to make sure that you do have that and there's probably going to be some barriers on when you can bring in a private attorney obviously um it's not going to be on every document and everything that you're doing for the company but definitely on public disclosures all right so we're gonna open it up I believe there's some questions here from the audience what do we have out there uh so the first one says uh did soloin and it Sayo failed to disclose material cyber security risks to investors all right Jim Michael we talked about it but what do you think potentially okay I've got one potential Michael what would you say I I'm gonna say potentially also because it it depends I'm going to say and it's another way of saying potentially but I'm going to say if even half of what's in the SEC complaint is true I'm gonna say yes if it isn't true or forthright then I'm going to say ah no you know we don't have the full picture that that's true okay question here so the second one did solar winds and it ceso ignore repeated red flags about the company's cyber security vulnerabilities and Jim you started talking about this right especially when you talked about uh you know Supply uh supply chain ISS isues and Michael you talked about right nation state attackers and I mean ultimately the the audience needs to know what there were 18,000 potential victims uh at the compromise of their primary product now not all of them were victimized but you know Jim I'll start with you uh do you think from a risk perspective and kind of gets away from the case of fraud but just from a risk management perspective did solar winds drop the ball here uh no I don't have information to support that premise at all um what I would say is that identity access management practice in software development in a cloud first model across every single Enterprise sucks right it's inadequate insufficient not enough uh and that's every Enterprise and so we all have every Enterprise has to step up and deal with that challenge and that not necessarily unique to solar winds yeah Michael your thoughts yeah we see that across the board right um and I know Jim used the word devop I'm getting away from devop it's Dev SEC off you have to include security when you start building that product you've got to understand what that flow of data is so if something happens you're right there um so yeah I think that's the first thing we need to do is make sure sdlc that software development life cycle we know what's going on with there and we're building a software platform that's going to work and it's going to be secure but that starts at the beginning that starts at the beginning of that Dev deck off I totally agree with Jim yeah um I'm in line with you guys the reality is we're the red flags yes but that's our daily job we're dealing with red flags every single day um and so I you know I haven't seen all the data I'm I you know don't know what they knew when they knew it and so I can't say that yeah there were obvious red flags that they should have jumped on I think there were red flags but okay out of the million red flags that we deal with how did we know that this combination was you know something so severe um at the point that the security firms came to them and said we can definitively show that your product is hacked which is what happened in December uh at that that point they did respond to it so I do like that fact but I'm with you guys you know it's it's it's tough especially when there's insufficient visibility insufficient controls and we do not have good security baked in as part of Product Development Across the IND industry it's not just solar winds right it's well unfortunately it's everybody this is just the state of maturity that we have another question came in here you know what do you think about a negotiated contract clause that provides protections and rights to private defense I think we talked about that a little bit um is that something that should be negotiated when you're taking the job do you think uh you know Jim and you talked with a lot of cesos here do you think that's something that cesos that are currently in the job is that something that they can BR you know bring up with the CEO or the board to kind of implement retroactively is this something feasible or is it just to you know stick is as as Michael indicated oh can't hear you Jim I still can't hear Jim can okay then I'm gonna go to Michael on this one um I I think you can negotiate anything um even if you're already in a ciso position either you're taking a new job as a ciso or you're already the ciso the worst thing that can happen is they say no so why not try to negotiate something and and again it could be kind of strange because they may say hey we want you to use this particular law firm and if they're already using it it could be a conflict but why not give it a shot I mean you're going to go to the table and ask for things you might as well yeah the worst case they can say is no right and then you've got to make a decision whether you're comfortable with that or Notre Jim typed in here and I'll read it for him um yes you should discuss this if you are a current ceso the probability of resolution is not high given the lack of Leverage yeah you know I I think he's absolutely.




Transition of Responsibility:

  • There's a consideration for shifting cybersecurity disclosure responsibilities away from CISOs to other senior officers like the Chief Trust Officer, CIO, or CTO.
  • The importance of organizational structure in facilitating transparent and accountable cybersecurity practices is highlighted.

Negotiating Contract Clauses:

  • The feasibility and importance of negotiating contract clauses for cybersecurity protections, such as appointing personal attorneys, are discussed.
  • While there may be barriers and conflicts of interest, it's suggested that it doesn't hurt to ask during negotiations.

Discussion on SolarWinds Case:

  • The conversation touches on whether SolarWinds and its CISO ignored red flags regarding cybersecurity vulnerabilities.
  • It's acknowledged that while there were red flags, assessing their severity amidst numerous daily concerns is challenging.
  • The importance of integrating security into the software development lifecycle (SDLC) from the beginning is emphasized.


The conversation concludes with an agreement on the need for bold negotiation and proactive measures by CISOs to ensure cybersecurity protections. It underscores the complexity of cybersecurity governance and the importance of organizational structures and contractual provisions in fostering accountability and transparency.



Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.


Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.


Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa