CISOs of the World, Unite!
This article represents personal commentary from CSA’s Chief Executive Officer Jim Reavis.
I have been in the industry long enough to have observed the creation of the Chief Information Security Officer role and the journey to making this person a crucial part of our ecosystem. For almost all of that time, I have been on Team CISO and have seen them as underappreciated (and underpaid) guardians of their enterprise. Make a mistake, or more accurately, be perceived as having made a mistake, and you are out – a scapegoat for not delivering the impossible to achieve perfect security.
I must admit that my default attitude changed a bit in the last few years with at least some CISOs, as I have observed strong growth in budgets, salaries, and organizational authority. I can remember thinking after a few conversations, “That CISO is living in the past, stop whining and understand how good it’s gotten for you and your role.” Then the Joe Sullivan Uber case was decided and now I am 100% Team CISO again.
I assume most everyone knows the particulars: Joe Sullivan was formerly the Chief Security Officer at Uber, and in October of this year was convicted of obstruction of justice for hiding a data breach from the Federal Trade Commission. If you have not delved into the case and want to read more, here are a few relevant links:
While there are experts who have followed this story much more closely than myself, I feel I understand the pertinent facts of this case fairly well. I do not agree with much of the decisions Mr. Sullivan made, although I certainly understand his rationale that he was protecting Uber and its customers. The cover up is almost always worse than the crime and many of us have faced that moment where we must decide if our job is worth the actions we are asked to undertake.
So, my beef is not with how the jury decided the case on its factual basis. I have a very visceral reaction to selective prosecution, to “let’s send a message” cases. How in the world is a CISO tried in a court of law for conduct that was disclosed to and approved by the CEO (at the time) and the CEO himself faces no legal consequences? We are back to making the CISO the scapegoat, only now it is worse and the CISO must worry about much more than getting fired. Why would you want to be a CISO?
Since the sentence for the conviction has not yet been made, I have written a letter to Judge Orrick to request leniency for Mr. Sullivan based upon my real concern about prosecutorial discretion and what impact that may have on the CISO profession. I love the idea, not original to me, that instead Mr. Sullivan provides cybersecurity assistance to organizations in need as community service. I encourage others to at least consider writing letters of your own. We can provide contact information for those who need it.
Finally, I would like to say that if this is a new reality, that CISOs may be personally liable for actions approved by their CEO at the time but not by the successor CEO, then we need to replace the CEO with the board of directors as the decision making and liable authority for cyber incidents. There are some new rules being proposed by various governing bodies, such as the SEC (which I am not an expert on), but the time is now for the CISOs of the world to unite!
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.