After the Uber Breach: 3 Questions All CISOs Should Ask Themselves
The recent conviction of Joe Sullivan, Uber’s chief information security officer (CISO), for failing to report the company’s 2016 data breach came as an unwelcome surprise to some and as a justified consequence of Mr. Sullivan’s actions to others.
As a fellow CISO and information security leader for over 30 years, I respect Sullivan’s distinguished career and, at the same time, fully support the verdict. Sullivan found himself in an ethical dilemma that most CISOs find themselves in sooner or later. How a CISO decides to handle that dilemma can make or break their career.
The role and responsibilities of the CISO are constantly evolving and are scrutinized even more so thanks to the growing publicity around large breaches, such as that seen at Uber.
For CISOs considering what these recent events mean for them, it’s a suitable time to ask three important questions.
1) As CISO, what is my responsibility when there’s a data breach?
While the Uber trial may have brought the CISO’s role into sharper focus, I don’t think it changes the responsibility or liability associated with the role. When a breach occurs, the CISO’s responsibility is clear: be transparent and provide all the necessary disclosures. Sometimes these disclosures are mandated by regulatory bodies, and sometimes they are just considered a responsible disclosure by the company to its constituents.
I don’t know if Sullivan’s first reaction was to take the correct action and report the breach as required by law. Considering his long career, I certainly hope that was the case. That said, depending on the reporting structure within the company, many CISOs may not have the final say about whether the company will disclose the breach. As is often the case, the CISO may be overruled and pressured to find a way to reframe the breach as something other than a breach. This reframing can help the company avoid potential negative consequences, including regulatory fines, remediation costs (for example, providing credit monitoring services to affected customers), and impact on customer trust and company reputation.
A breach is, quite correctly, viewed as a failure of the company to protect the data that was breached. It can also ultimately be viewed as a failure of the CISO. This raises the age-old questions: Where does the buck stop? And who bears the ultimate responsibility for the breach? Regardless, it’s not a simple thing for a company to admit or disclose.
The CISO’s ethical dilemma is: Do I maintain the integrity of my role and follow my responsibility? Or do I try to reframe the incident so that my company doesn’t bear the consequences?
I would like to think that if I were in Sullivan’s shoes, I would be willing to resign my position rather than betray the integrity of my role and, frankly, the trust of my constituents. To paraphrase US President Harry S. Truman, “The cybersecurity buck stops with the CISO.”
2) What is my company’s plan for when (not if) we get breached?
As the CISO for a security vendor, I know all too well the motivation and determination of bad actors and nation states. I also understand the odds organizations face in falling victim to an attack — organizations must assume they’ll be breached. What will you do when that happens?
Addressing worst-case scenarios and having a contingency plan in place before you get breached can minimize the financial and operational fallout when you do. What’s the cost of downtime if an attacker takes your customer support or supply chain operation offline? Where are your systems most vulnerable? How do you contain the damage, and how quickly can you recover? How do you communicate what happened to your employees, customers, and the board?
The CEO and other company officers must proactively work with the CISO to address these questions and develop a comprehensive plan that is ready when a breach occurs. Immediate action — and honesty — count above all else. But such a plan will only be successful if it has been created, vetted, and rehearsed well in advance.
3) What is my role with the board of directors?
The most resilient companies commit to security at the top and drive it down through every level of the organization. This means establishing a strong cybersecurity culture with the board, as well as with employees. Many CISOs may have to contend with the biases of boards that say, “that’ll never happen to us” or “it’s going to happen anyway, so why invest in cybersecurity.”
One way for CISOs to enhance their relationship with the board is to serve as the bridge between technology and business. We need to show the board that we manage cybersecurity as a business risk, and align with performance, growth, and other business goals of the organization. Be sure to use business terms and outcomes, not just technical acronyms and concepts. Help answer the question “Why should I care about this?” And if you succeed in being granted resources by the board, it’s important to follow up with a report that connects the resources you requested to the business results and outcomes that followed.
In my own experience, to be most effective, it’s important for the CISO to nurture a relationship with their board members outside of regularly scheduled meetings. This gives us the opportunity to better understand what our board members are expecting from the CISO, and likewise, to start educating the board. In the end, the practice of cybersecurity is about managing risk, but the truth is that we can never eliminate risk completely. Daily breach headlines have put every CISO in the hot seat. The CISO has a daunting job: they must manage their organization’s day-to-day defense, while simultaneously creating an action plan for that inevitable future attack. It takes integrity and honesty for a CISO to successfully lead and thrive today in this challenging and critical role.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.