This is a challenging time to be a CISO. The security community has been eagerly following multiple stories regarding Uber in the past few weeks. From the play-by-play of their recent major hack, to last week's guilty verdict of former Uber security chief Joe Sullivan, CISOs are facing considerable challenges.
The verdict in the Sullivan case found him guilty of obstructing a federal investigation and concealing a felony from the government. According to the New York Times: "Stephanie M. Hinds, the US attorney for the Northern District of California, said in a statement: 'We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.'"
The government is sending a message to CISOs in the US — disclose and potentially lose your job, or cover up and go to jail. If they disclose information to the government, they meet compliance regulations, but their job will be on the line. A breach, especially one in which personally identifiable information (PII) is compromised, will result in a lawsuit and the CISO will likely get fired.
But the punishment for noncompliance, inability to demonstrate full disclosure, or any gray zone in the middle is now personal (unlike other regulations where noncompliance results in fines for the company). Covering up a breach, in the Uber case, and then further hiding details of the hack in the context of a federal investigation, can result in prison time.
This case also brings to light a new challenge for CISOs: "What did you know?" Concealing information is an important part of this case and verdict. Hiding information by saying "I didn't know" isn't an answer for a CISO with a data breach — it reflects negligence at best and is at worst a lie. Security teams need to know — and most likely do know about their security posture, from the many security tools they use — and what they know can't be concealed.
The Sullivan case has enormous gravity for the security industry. What can we expect from CISOs? Are these expectations fair?
Managing Expectations for CISOs
According to proposed legislation, the expectations are as follows. From the Form 8-K (6-K) Disclosure About Material Cybersecurity Incidents (PDF) — the following rules will be added:
Continue reading on our sister site Dark Reading.