The SolarWinds case ups the stakes for CISOs everywhere. Are you secure? Yeah? Would you bet your life on it?
How about a "dissenting opinion" envelope where a CISO lodges his most critical objections to the company's most egregious security sins? This can be discoverable as evidence if there is ever an incident. This clearly establishes that the CISO performed his function and warned of the risk but was overruled by the CEO or the Board. "Yeah? We can't afford MFA? No problem. I'm just going to note my dissenting opinion just in case this comes back to bite us."
How about a "dissenting opinion" envelope where a CISO lodges his most critical objections to the company's most egregious security sins? This can be discoverable as evidence if there is ever an incident. This clearly establishes that the CISO performed his function and warned of the risk but was overruled by the CEO or the Board. "Yeah? We can't afford MFA? No problem. I'm just going to note my dissenting opinion just in case this comes back to bite us."