In a revealing article by Noah Barsky on Forbes, the recent actions of Clorox following a major cyberattack pose critical questions about the role and treatment of Chief Information Security Officers (CISOs) in corporate governance. This is certainly not unique, the CISO is often the sacrificial lamb after an incident.

“It could be asked that if CEOs can suffer when earnings are bad, so isn’t this the same?”

The answer is no because the CEO should have the power to implement what is needed. The CISO is often not as empowered and must make the best with what they are given. In essence, the CISO could be handed a losing hand from the beginning with no power to change it.

In the case of Clorox suffering one of 2023’s most costly cyberattacks, which disrupted production and significantly impacted revenues and valuation, Clorox’s response was telling. The company chose to empower and enrich its board and C-suite, while simultaneously announcing the departure of its CISO, Amy Bogac. This move highlights a concerning trend where CISOs are positioned in a precarious situation, expected to manage cybersecurity risks without adequate support or recognition, and often bearing the brunt of responsibility in the event of a breach.

The article points out several governance issues in Clorox’s approach:

  • The lack of direct mention of cybersecurity in the opening statements of the CEO and outgoing chair in the proxy statement.
  • The reappointment of all board directors without any professional IT or cybersecurity experience.
  • No establishment of a dedicated technology or cybersecurity committee.
  • The cyber preparedness plan, despite the significant breach, showed no substantial updates from previous years.

This situation at Clorox exemplifies a broader issue in corporate governance where there is a disconnect between boards and cybersecurity leaders. The article cites a survey indicating that many board members still feel unprepared for cyberattacks and have limited interaction with their CISOs.

Reflection:

  • How can companies better integrate cybersecurity into their corporate governance and board responsibilities?
  • What steps should be taken to ensure CISOs are not merely scapegoats but are empowered to effectively manage cybersecurity risks?
  • Is the current corporate structure adequate to address the evolving challenges of cybersecurity, or are more radical changes needed?

Read the Forbes article here: Clorox Scapegoats Cyber Chief, Rewards Board After Crisis (forbes.com)


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Paul Bergman
Follow me