This post was originally published on CSO Online.
- Joseph Sullivan (former CSO of Uber) was convicted on federal charges for covering up a data breach
- This shouldn’t be a cause for panic amongst CISOs, who can follow 4 strategies to keep this from happening to them
- Choosing to become a CISO (or where to take a job as a CISO) should be based on how you perform your job based on the way your values align with those of the company where you work
There seem to be two reactions to the verdict in the Sullivan case. One reaction, often from CISOs already stressed by being outside the room where it happens, is to decide that being a CISO isn’t worth the risk – it already wasn’t worth the stress. If the title is really Chief Scapegoat Officer, it’s one thing to lose your job, but your freedom? That’s across the line. The second reaction seems to be nonchalant. What’s the big deal, after all? It’s just one person, and there was some shady stuff going on over at Uber anyway.
Going to jail as a CISO is a new and novel risk, and humans tend to react strongly to surprising risks, especially when they hit close to home. Joe Sullivan is the first CISO to be in this position, and many in the security industry knew him, so it’s reasonable to take this a little personally. But professionally? Most CISOs aren’t going to find themselves in Joe Sullivan’s shoes.
The central issues in the case seem straightforward: Uber was under investigation for privacy issues. Uber had a data breach. The attackers extorted Uber. Uber paid them through their bug bounty program (albeit by modifying the bug bounty program to meet the hackers’ demands). Uber did not disclose this breach to the federal investigators. Those facts don’t seem to be in contention. What did seem to be in contention was who knew all the details. Was it just Joe Sullivan? Was it Uber’s other lawyers? (Sullivan was also wearing the hat of deputy general counsel). Was it the other executives?
Regardless of these questions, CISOs have specific obligations that come with their role in the organization. In this post, I’m going to break down why CISOs need not worry that what happened with Uber could happen to them.
4 Steps for CISOs to Avoid Legal Trouble
Uber’s early startup culture was heavily driven by its founder, Travis Kalanick, and calling that culture “techbro” isn’t nearly evocative enough. While it can be tempting to want to be the hero and turn around an organization, it’s essential to recognize that you’re at heightened risk – both of finding convenient shortcuts and in inheriting a program that probably has a lot of weaknesses. Moving into a company that was just starting to care about user privacy, and which the government was already paying close attention to, was a risky move. Here are a few strategies and tips for assisting CISOs in getting out of difficult situations.
Step 1: Understand Research Versus Targeted Attack
There is a difference between a security researcher and an attacker. A security researcher might compromise your systems and get access to your data repository, but they stop before they exfiltrate your data. They might redact a screenshot, or take a tiny sample of something, and then they will carefully track where everything went. They’ll contact you under a name that ties back to them. The researcher hopes you’ll pay them a bounty, especially if you have a bug bounty program, but they risk you deciding not to pay. Their only recourse if you don’t pay is to disclose the vulnerability publicly to embarrass you.
An attacker takes your data. They hold it hostage and demand that you pay them, or they’ll do something nefarious – sell the data to a broker or just publish it for the world to see. They started by doing you harm, and reputational harm is only the beginning.
Step 2: Follow the Necessary Steps
Whether you suffer a data breach or “just” have a vulnerability found by a third party, you have a duty to publicly disclose it. Sometimes, that duty comes from legal or regulatory regimes, and you might have a time limit to disclose. Other times, that duty comes from harm minimization. If an adversarial third party knows you have a weakness, you negate a lot of risk by fixing it and telling the world. The adversary loses any hold on you, because now they can’t disclose anything interesting.
Step 3: Embody Truth, Honesty, and Cooperation
Now, if your company is under investigation by the government, for anything, be really careful about what you hide from the investigators. Being non-responsive, especially in an area they are actively scrutinizing, is a serious problem.
Step 4: Look at the Big Picture of Company Protocol
If your company violates the above rules despite what you have done to be honest and forthcoming, make sure you aren’t the scapegoat. If there are communications between you and other executives, especially if they pressure you to break these (or other) rules, keep receipts. Retain your own lawyer (and remember, your company’s lawyers have no obligation to you, just to the company). Make sure they get a copy of the receipts, because when you leave the company, you’ll lose access to your inbox. If your inbox is the only place you had evidence that it was a company decision, and not you acting as a rogue executive, you won’t be able to keep that evidence. This step might not keep you out of jail, so it’s hard to call it a separate fifth step, unless the act of keeping evidence makes it harder for your conscience to accept being complicit in breaking the above rules.
Should I Take the CISO Job?
This verdict shouldn’t be the deciding factor in whether you’re going to be a CISO. For most people who are aiming to be CISOs, this isn’t a significant enough risk to alter their decisions. For a small handful of executives – maybe the “CISO-stars” who do step into high-risk, high-profile situations – this may dissuade them from a dangerous situation. For most CISO candidates, though, this verdict shouldn’t change your career plans.
What’s important to note here is that as a CISO, you deal with high-pressure situations constantly – it comes with the territory of being in cybersecurity. That being said, embodying the same qualities you would in any other profession (namely, honesty, integrity, and cooperation) will serve you well and help you see that the fear of what happened with Uber is not what all of us are destined for.
Protect Your CISOs from Potentially Harmful Situations
The Uber ruling will undoubtedly impact organizational security and the CISO position for the foreseeable future. It’s more crucial than ever to make sure your company has security measures in place to guard against the numerous threats and vulnerabilities waiting to strike. Take preventive action with Orca’s comprehensive cloud security platform, the first agentless cloud security technology featuring the widest visibility into cloud workloads and associated risks. To find out more, read Orca’s case studies or request a demo. You can also sign up for a free, no-obligation risk assessment to get started today!