Court cases against CISOs that threaten jail time and expensive penalties such as those against former Uber CISO Joe Sullivan and SolarWinds’ Timothy G. Brown, have kept CISOs wake at night. The pressure is on for CISOs to figure out how to minimize not only professional but personal risk from the important work they do at their organizations — even when budgets and business executive decisions may expose their companies to potential security incidents. Because when big breaches hit, today’s climate is such that a CISO is no longer just worried about getting fired — they could be on the hook for life changing consequences.

While some CISOs may be considering leaving their role altogether in favor or greener pastures, others are staying and doing what they do best: managing risk. Only this time the risk management is on a personal level.

Here’s how CISOs can keep doing good work without risking personal consequences when breaches and other security incidents inevitably hit their organizations.

Clearly define roles and responsibilities

One of the most important ways that CISOs can start to protect themselves is by ensuring that there’s a definitive set of corporate standards for security roles and responsibilities.

“My advice would be taking a look at every governance document you’ve got and really make sure that they’re crystal clear about roles and responsibilities, especially around who makes risk management decisions,” recommends Charles Blauner, a former banking CISO, and currently cybersecurity advisor for his consultancy Cyber Aegis, as well as CISO in residence for venture fund Team8.

Unfortunately, many CISOs today operate without that kind of clarity, says Ilia Kolochenko, founder of cybersecurity firm ImmuniWeb and a practicing attorney in cybersecurity for Platt Law LLP. He’d venture to guess that if someone were to ask CISOs at large companies whether they could clearly and comprehensively enumerate all their duties, most of them would say ‘no.’

“Frequently, CISO professional duties are vague and they’re really blurred. You are in charge of everything,” he tells CSO. “At the same time, when you need budget, you cannot have it because it’s actually the board who’s deciding.”

One important tool organizations should be using for charting out security duties is a responsible, accountable, consulted, and informed (RACI) matrix, says David Cross, senior vice president and CISO for Oracle SaaS Cloud. “Because if you don’t have a RACI, you don’t actually have roles and responsibilities defined. Then, who are they going to blame when there’s a problem?”

Cross tells CSO this kind of matrix can help the company set responsibility standards not just for the CISO but also across all of a CISO’s key partners and executives that they’ve got to collaborate with. This can set the rules everyone lives by when risk decisions are made.

“It’s documented, it’s public inside your company and when anything comes up, it’s crystal clear who’s making the decision,” Cross says, explaining it’s also easier to answer when the standard is being violated and by whom.

Roles and responsibilities should be drawn up not only for big-picture strategic decision-making, but also for tactical incident response plans and playbooks to lay out who does what when things hit the fan. “If your playbook does not include everyone in the chain of command — legal, communications, the CEO, and other executive representatives — then guess what? When an incident happens, you don’t have the right people prepared,” he says.

From policies to meetings, document everything

Of course, it’s not just roles and responsibilities that need to be documented. Effective CISOs need to make documentation the name of the game in just about every other facet of their job. Not only is this important for doing their duty as a risk officer who is answerable to the board and to auditors — it can also make all the difference in reducing their personal liability. “Documentation is essential. When you have documentation, you are already decently protected,” says Kolochenko.

The documentation trail starts with corporate policies and procedures for processes, perhaps also a risk acceptance framework, and continues daily through not only email and written correspondence, but also notes taken by the CISO. According to Cross, he records notes about every meeting he has, who was there, the actions taken, and the responsible decision-makers involved. “I write something called my weekly security dossier,” Cross says. “Everyone knows this. (It covers) every meeting, who’s there, what’s decided. It’s all documented.”

Setting policies for what happens when things go wrong, who should be informed, and who should be signing off on next steps is an important CYA mechanism for CISOs. Kolochenko explains that a CISO can act in much greater personal confidence if they’re able to tell a regulator or prosecutor that they have a corporate policy reviewed by general counsel, that the CISO followed rules and notified the board and counsel of a security weakness via email, and that the higher ups responded to proceed as usual. “Then you have available evidence saying, ‘I’ve been acting as per corporate rules and I fully acted in compliance with our policy and procedure,’” he says. “If the board ignores your email, later on it will be their accountability and responsibility.”

Establish a risk register

One of the most effective and methodical methods of documentation that a CISO can maintain is a risk register that identifies existing cyber risk and records risk acceptance by relevant business stakeholders. This can help bring greater visibility into cyber risk to the board and it certainly helps CISOs to protect themselves.

“In order to run a security program, you have to have a risk register. It’s like table stakes,” says Greg Notch CISO of Expel, a managed detection and response firm, and a longtime security veteran who served as CISO for the National Hockey League prior to this job.

Some organizations may use governance, risk and compliance (GRC) platforms to track the risk register, but this is not necessary. In many cases all it takes is a spreadsheet, says Notch, who explains that this is how he does it. He’s not alone. Kayla Williams, CISO at security firm Devo says she uses spreadsheet templates to track risk acceptances and control exceptions made by different business stakeholders.

“Through Google Sheets, you can actually set up approvers and email them. So, in my risk framework, I have a hierarchy of if it’s a low risk, the risk owner can accept it. If it’s moderate, then it goes up to the functional department. If it’s high, it goes to me or a delegate on my team and to general counsel. And then if it’s critical, it goes from up the chain to the CEO,” Williams tells CSO. “It’s documented through the Google Sheet approval flow. And I just have them in folders by years. And when auditors come in and ask for information, I can say, ‘Here you go, have at it.’”

Insurance and indemnification protection

Even with rock solid policies, procedures, and documentation, CISOs should also seek to establish legal protection through tools like indemnification agreements, employment contractual terms, and the right level of insurance protection.

Kolochenko says CISOs that are unsure of their protections should proactively reach out to their general counsel and ask them about all of their duties, liabilities, and protections. If something sounds unfavorable, push back, he says.

“Don’t hesitate to renegotiate certain things, because if your general counsel says, ‘Listen, you have no protection whatsoever and if we are hacked, we’ll sue you as well. We’ll join the class action lawsuit and we’ll take you to court,’ it’s a good idea to renegotiate employment conditions,” he says. “I think it is always a good idea to mention, ‘Listen, it’s not just about me. If you want me to be efficient and effective and if you want me to protect our trade secrets and intellectual property, and personal data for our customers, I need additional protection to be certain that I can do what is right, not just what is politically correct or where I have the least possible personal risk.’”

One of the oft-repeated pieces of advice is to make sure you’re covered by directors and officers (D&O) insurance, but the experts warn CISOs to keep in mind that there’s often limits to what it covers.

“If you’re a director and officer of a company and you’re somewhat fiscally responsible for decisions that impact the risk of a business, you should have D&O insurance. This is the company’s risk, not your risk,” Notch says. “But it’s also not the panacea people think it is. Because first off, D&O insurance will not cover you for criminal liability. And it will not cover you for governmental liability, either. So, if the SEC comes knocking, your D&O doesn’t necessarily cover you. It’s all fun and games until you get a Wells Notice.”

Joe Sullivan, former CISO of Uber was taken to court by the Federal Trade Commission, convicted in connection with that firm’s 2016 data breach and sentenced to three years’ probation — a conviction that he and his lawyers currently have in appeal. He notes that he gets frustrated when he sees lawyers get up at conferences talking about his case and offering advice on what to do to “not turn out like Joe,” with D&O insurance being one of those lynchpin points.

“We did all those. We had an incident response policy. We had the equivalent of D&O insurance,” says Sullivan, who in the last year has been hitting the conference circuit advising other CISOs on how to limit their liability, and recently took an advisory role for startup BreachRx. “What you want is insurance that’ll protect you personally if you need to get a lawyer during litigation and that the costs get covered. Indemnity is not without limitation and that’s something you should talk about with the lawyers.”

Get your own lawyer

As Sullivan notes, setting up independent counsel is probably one of the single most important — and oft overlooked — protections a CISO can establish for themselves in today’s regulatory climate.

“There’s one crucial point that some people probably miss. When you are an employee of a company and you have a general counsel, general counsel is not your attorney,” Kolochenko adds. “This is very important. In most cases, general counsel will act in the best interests of your employer.”

When CISOs aren’t aware of the terms of this relationship, they can potentially set themselves up for some ugly conflict of interest situations that could put them in personal legal peril.

“Let’s say, a CISO talks to a general counsel and says that ‘Listen, it’s all my fault,’ clearly admitting the guilt. Later on, the company utilizes this information against the CISO. The CISO may have a valid claim against the general counsel. But I don’t think that it will bring much value to have another legal action pending in parallel.”

Proactivity in vetting a lawyer before a crisis ever presents itself is crucial. “When you have already received summons to court, it may be a little too late,” Kolochenko says. “Most importantly, you and everyone around you will make suboptimal decisions.”

CISOs don’t necessarily have to have someone on retainer, but they should seek out some free initial consultations and find a lawyer with the right mix of employment, corporate, and cybersecurity liability experience.

One other thing to do in advance is to try to negotiate for the employer to reimburse independent legal expenses or, at very least, understand that the CISO will engage with personal counsel as a matter of course when a breach incident starts unfolding. Sullivan even suggests having the CISO negotiate for the organization to put it in their best practices document. “Imagine you’re in the middle of a security incident and all of a sudden you call the general counsel and you say, ‘I need independent representation.’ Are they going to trust you the rest of that incident? No,” Sullivan tells CSO. “So, you actually want to have those conversations in advance.”

Be aware of what the company says publicly about security

Finally, one thing CISOs should keep in mind is that the crux of many legal battles brought forth in recent years have less to do with the specific elements of an organization’s security practice and more to do with what they told the public and shareholders about what they were doing to protect information.

“The tool that they have is they can go after companies that make misstatements that are material,” Sullivan explains. “Their focus is not on whether SolarWinds had good security practices. Their focus is on what did they say, what did they promise, what did they under deliver in terms of their promises? And in my case, it was the FTC talking about deceptive trade practices by the company.”

Security leaders can protect themselves by ensuring they have a say in the things their company says publicly about their security stance. “Those are the things that the company is being measured on. What did you say in your privacy policy? What did you say in your 8K? What did you say in your 10K?” Sullivan says.

“One of the takeaways that I have from looking at the pattern of cases is that security leaders need to actually pay attention to the content that their company’s putting out and say ‘if you’re going to say something about security, can you at least check with the security team first to make sure it’s accurate.’”