The U.S. Treasury reported last month that Chinese hackers had infiltrated its computer systems and taken various “unclassified documents.” A week later, Rhode Island’s RIBridges systems announced that Brain Cypher, a cybercriminal network, broke into its network and took the Social Security and bank account numbers of hundreds of thousands of Rhode Islanders. In both cases, hackers used stolen keys to breach systems managed by private cybersecurity companies.
While it may be that the companies, employees and contractors involved in protecting these computer systems dropped the ball by not securing the keys used in the breaches, in none of these cases were they alleged to have interests that may have conflicted with their companies’ or their clients’ best interests. However, that may change if chief information security officers (CISOs) become incentivized to choose a cybersecurity product that is not based on which is best for the company but on which is best for the CISO’s personal benefit. It appears this may already be occurring.
A recent article in Forbes revealed that Cyberstarts, a venture capital fund, deployed a program to boost the prospects of its portfolio companies. The fund allowed CISOs to participate in profits based on the time they invested in providing product feedback and insights about their cybersecurity needs to Cyberstarts. The article reported that the potential take for a CISO could be as high as $250,000 over the fund’s life.
This arrangement could be perceived as a conflict of interest that goes against the fiduciary duties that corporate executives owe to their companies and their owners. Companies hire CISOs precisely because they have the experience and understanding to identify and acquire the best technology to secure their company’s and customers’ data from hackers. However, creating an incentive for them to put that aside for their own pecuniary interests effectively encourages a breach of fiduciary duties.
While few people see Cyberstarts as wanting to intentionally destabilize national security, the Forbes piece suggests it attempted to entice CISOs at prominent companies like Heinz, Colgate-Palmolive and Chipotle to make conflicted decisions.
Wiz, a small but fast-growing cybersecurity fund, is an example of the problems such incentives can cause. The firm boasts of reaching $100 million in annual recurring revenue in 18 months. Its aim is to reach $1 billion in 2025.
Wiz’s early-stage technology may benefit from new and imaginative approaches to cybersecurity. At the same time, it might suffer from a lack of experience or insights into the cybersecurity world that could highlight gaps in the firm’s products. Even if Wiz or the other Cyberstarts portfolio companies have the best technology available, the mere appearance of such conflicts may taint any decision to use such companies. This makes it a risky bet for a CISO considering cybersecurity defenses for their publicly held company or national security clients.
These conflicts arise as breaches of supposedly impenetrable private firms have become common in recent years. The loss of trust in large publicly traded companies and the companies hired by the government to combat cyber-actors are compounded by the deleterious effects such breaches can have on national security.
Furthermore, cyber warfare has shifted toward state-sponsored players from Russia, China and Iran and away from shadowy groups seeking unearned financial gain from access to personal information. Of course, the RIBridges breach shows the latter type of hacker still exists.
The problems that state-sponsored hackers can cause go to a different level. For instance, the breach of SolarWinds gave Russian hackers access to classified information at the Departments of Defense, Homeland Security and State, not to mention large tech companies Microsoft and Cisco. Last year’s tapping of the phones of Donald Trump and JD Vance by Beijing-backed Salt Typhoon created similar security concerns.
The problems coming from these entities are worrisome enough, even without the prospect of corporate executives redirecting financial and human resources to untested security systems for personal gain.
Fortunately, Cyberstarts says it has ended its Sunrise-CISO payday program. Still, we should ensure that no other firm in this field imitates this problematic business model.