The current trend of holding CISOs personally responsible for security breaches is making security professionals more reluctant to take on these positions.
This was stated by former Uber CISO Joe Sullivan, speaking at Black Hat Europe 2023.
Sullivan was sentenced in 2022 on federal charges relating to the concealment of the theft of personal information of Uber drivers and customers from 2016.
He highlighted the broader impact of recent cases in which CISOs have been held personally responsible for security incidents within their organizations.
CISOs face growing legal scrutiny
In addition to his own case, Sullivan cited recent accusations levied by the United States Securities and Exchange Commission (SEC) against SolarWinds and its CISO, Tim Brown, for deliberately downplaying or failing to disclose cyber risks while overstating the company’s security practices. The charging statement argues that Brown is not only responsible for what SolarWinds did regarding security, but he is also responsible for what the company said about it.
In Sullivan’s sentencing, which he is currently appealing, the judge made it clear that if he received a similar case in the future, he would send the defendant to prison.
Former Uber CISO says trend of holding security executives responsible for their companies’ security breaches means CISOs ‘don’t think about the big picture, they think about themselves’ , and some are even considering leaving the profession.
He added anecdotally that potential CISOs have asked him “why should I take this personal risk?” »
The unique role of the CISO
The average person would find it reasonable for a CISO to be responsible for all aspects of an organization’s security, Sullivan acknowledged. However, the reality is that the role of the CISO is unique among management positions.
“The CISO fights a difficult battle every day as part of his job. They’re demanding resources, they’re trying to get the rest of the company to slow down and think about the things they care about,” he noted.
“Our work is different from that of others. When you are responsible for security, you are the only one who has active adversaries outside your organization trying to destroy you,” he added.
Additionally, he believes there is currently a lack of regulatory clarity for CISOs, who often arrive in insecure environments.
“We are allowed to launch a product and attract millions of users before we get Diamond security,” Sullivan commented.
Advice for CISOs
Despite the growing personal risks for CISOs, Sullivan stressed that “we must not run away from the situation,” adding that “if we do, we will miss a huge opportunity.”
He believes that a fundamental change is coming in terms of cybersecurity regulations, which will force organizations to rethink their approach to security, and today’s security professionals must facilitate this change.
Sullivan offered the following advice to CISOs on how to approach their roles in the future:
- Develop a personal incident response plan. To prepare for possible personal lawsuits, he said CISOs need to prepare emotionally, financially and legally, and even put in place public relations.
- Build better internal relationships. Sullivan said his own case made him realize the importance of CISOs having close relationships with other parts of the organization, such as the communications team and senior management. This involves spending time with internal departments to understand how they work.
- Have a team you trust. During an incident, the CISO will need to spend a lot of time with the board of directors, particularly in light of new SEC Reporting Rules. As such, the CISO must ensure they have a security team they can trust to handle the attack without their presence.
- Build a fire station. Safety managers should develop incident response plans based on how fire stations operate – designed to deal with emergencies and plan ahead, for example shift changes.
Sullivan concluded by saying that he believed the security industry was poised to go in one of two directions, and that it was up to professionals to decide which one they wanted to go in.
“We are going to become the team that deals with technical controls and is not invited into the boardroom, or we are going to become a team that is well respected and trusted at the highest levels of government and our business” , did he declare.
Image Credit: Goutte d’ink/Shutterstock.com