Don’t have one? You need one!

Employment Agreements for CISOs are incredibly important to get right. Regulatory agencies can come down hard on a CISO even when they are not at fault. The CISO over at SolarWinds allegedly racked up over $1M in legal fees even before he was indicted. The worst part of this is that SolarWinds did not have him covered with Directors and Officers insurance, therefore, this debt was his responsibility. Luckily SolarWinds now says they will help him with this.

Don’t let this happen to you. If you are negotiating a security leadership New Employment Agreement, here are several steps to take:

  • CISO Role? Determine if the role is a Director of Security Role or a true CISO role. Here’s a checklist to tell the difference.
  • Hire a Lawyer: If this is a CISO role, to make sure you are sufficiently protected, spend the money to have a lawyer review your Employment Agreement. It could keep you from losing your retirement savings or even keep you out of jail.
  • Review the SINET Risk Executive Handbook created by Brian Fricke, CISSP, CISM, CISO for City National Bank of Florida, and Robert Rodriquez, the Chairman of SINET. It outlines many of the T&Cs a CISO may want to see if they can get included in their Employment Agreement.
  • Discuss Concerns with the Company.  Be willing to have an open discussion about your concerns on the employment agreement. The executives may not understand the risk they are putting this position in and make sure they agree to cover those risks.
  • Review your Employment Agreement Annually. The CISO role is evolving. Regulations are evolving. Enforcement is increasing. Risks are more complex. Therefore, your employment agreement needs to keep up with these changes to keep you, your team, and the company out of legal trouble.

To protect yourself and the company, make sure you also address the following:

  • Legal Obligations: Employment agreements should define the legal arrangement and obligations of each party,
  • Insurance Coverage:  While firms should always provide Directors and officers (D&O) insurance for CISOs here are some other coverages you may want to ask for or consider in case legal action is brought against you or the company. Are you Protected? What Insurance Cover Should a CISO Have?
  • Executive commitment: Ensure you have executive commitment to comply with legal and regulatory requirements, as well as an alignment on which of the industry standards should be used.
  • Establish a GRC Foundation:  Build a Risk Register executives can agree on. Robust risk management governance demonstrates a proactive effort in mitigating threats and a defendable position that can lower your liabilities.
  • Aligned Objectives: Annually agree upon objectives and priorities to ensure proper expectations are set with the business.

Following these tips can ensure your employment and financial position is not marred by an unfortunate event or one that is outside of your control.

For more helpful tips here are a series of articles to help you walk through the Job Hunting to the Hiring Process.

About Tim Howard

Tim Howard is the founder of 5 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet, provides vCISO/Advisory consulting, and NIST-based 3rd party security assessments

How we can help you:

  1.  Join over 30,000 People Getting Free Security Leadership Improvement Advice ➡ Follow me on LinkedIn.
  2. If you want to raise the expertise or performance level of your security team, Contact me. 
  3. If you don’t have a Clear Picture of Your Cybersecurity Maturity Level or Need a Strategic Improvement Roadmap ➡ Contact me.
  4.  Join our interactive Monthly CISO Forums.