The growing trend of finding CISOs personally liable for security failings is making security professionals more reluctant to take up these positions.
This according to former Uber CISO Joe Sullivan, speaking during Black Hat Europe 2023.
Sullivan was convicted in 2022 of federal charges relating to the cover up of the theft of Uber drivers' and customers' personal information from 2016.
He highlighted the wider impact of recent cases of CISOs being held personally liable for security incidents at their organizations.
CISOs Face Increasing Legal Scrutiny
In addition to his own case, Sullivan cited recent charges levied by the US Securities and Exchange Commission (SEC) against SolarWinds and its CISO, Tim Brown, for allegedly deliberately downplaying or failing to disclose cyber-risks while overstating the firm’s security practices. The charge statement argued that Brown is not only responsible for what SolarWinds has done in relation to security, but also has responsibility over what the firm has said about it.
In Sullivan’s conviction, which he is currently appealing, the judge made it clear that if he received a similar case in the future, he would send the defendant to prison.
The former Uber CISO said that the trend of holding security leaders responsible for their company’s security failings means CISOs “are not thinking about the big picture, they’re thinking about themselves,” and some even considering leaving the profession.
He added anecdotally that he has had prospective CISOs ask him ‘why should I take on this personal risk?’
The Unique CISO Role
The average person on the street would think it reasonable that a CISO should be responsible for all aspects of an organization’s security, Sullivan acknowledged. However, the reality is the CISO role is unique among executive positions.
“The CISO is fighting an uphill fight every day in their job. They’re begging for resources, they’re trying to get the rest of the company to slow down and think about the things they care about,” he noted.
“The CISO is fighting an uphill fight every day in their job.”
“Our job is different from everybody else’s. When you’re the executive responsible for security, you are the only executive who has active adversaries outside your organization trying to destroy you,” he added.
Additionally, he believes there is currently a lack of regulatory clarity for CISOs, who are often arriving into insecure environments.
“We’re allowed to launch a product and get millions of users before we get diamond security,” commented Sullivan.
Advice for CISOs
Despite the growing personal risks for CISOs, Sullivan emphasized that “we should not run away from the situation,” adding that “if we do, we’ll miss a huge opportunity.”
He believes there is a fundamental shift coming in terms of the regulation that’s on the horizon in cybersecurity, which will force organizations to revise how they approach security, and current security professionals must be to facilitate this change.
Sullivan set out the following advice for CISOs for how to approach their roles in the future:
- Develop a personal incident response plan. To prepare for potential personal legal charges, he said CISOs must prepare themselves emotionally, financially and legally, and even have public relations in place.
- Build better internal relationships. Sullivan said his own case made him realize the importance of CISOs having close relationships with other parts of the organization, such as the communications team and senior leadership. This includes spending time with internal departments to understand how they operate.
- Have a team you trust. During an incident, the CISO will need to spend a lot of time with the board, particularly in light of new SEC reporting rules. As such, the CISO must ensure they have a security team in place they can trust to deal with the attack without him present.
- Build a fire station. Security leaders should develop incident response plans based on how fire stations work – which are designed to deal with emergencies and are planning ahead for that, e.g. shifts of teams.
Sullivan concluded by saying that he believes the security industry is about to go in one of two directions, and it is up to professionals to decide which one they want to be in.
“We’re going to become the team that’s down in the weeds dealing with the technical controls and not invited to the exec room, or we’re going to become a team that is highly respected and trusted at the highest levels of government and our corporations,” he said.
Image Credit: Ink Drop / Shutterstock.com