Former Uber CISO sentenced to 3 yrs probation over 2016 Data Breach charges
Interesting precedent over the 2016 Uber Data Breach sentence, concerning the CISO's responsibility in a cybersecurity incident
With this sentence, a federal judge in California sentenced the former Uber CISO Joseph Sullivan to three years of probation for his role in covering up a 2016 data breach that exposed data on more than 50 million customers.
Judge Orrick made it very clear that the Uber CISO was somehow fortunate not to face prison time, and that other future cases will most probably have a worse outcome.
Regardless of this specific outcome, and excluding cases of gross negligence, it will be common that CISOs will be considered the scapegoat, in case of a serious cybersecurity incident. Especially when the CISO doesn't have sufficient autonomy and independence from other key stakeholders that have conflicting interests.
When a CISO is in the tight position of holding the formal "CISO" title, but isn't sufficiently supported by the organization, his/her chances of falling hard are quite high these days... The bigger the headlines of the breach, the harder the fall of the CISO.
What can CISOs do to be more effective on the job, and risk less when the cyber incident inevitably happens ?
Pro CISO can help the CISO to influence his/her senior stakeholders with experience-backed strategic advisory, in addition to suggesting tools and services for implementing efficient and effective Cybersecurity programs.
The DarkReading article
With this sentence, a federal judge in California sentenced the former Uber CISO Joseph Sullivan to three years of probation for his role in covering up a 2016 data breach that exposed data on more than 50 million customers.
Judge Orrick made it very clear that the Uber CISO was somehow fortunate not to face prison time, and that other future cases will most probably have a worse outcome.
Regardless of this specific outcome, and excluding cases of gross negligence, it will be common that CISOs will be considered the scapegoat, in case of a serious cybersecurity incident. Especially when the CISO doesn't have sufficient autonomy and independence from other key stakeholders that have conflicting interests.
When a CISO is in the tight position of holding the formal "CISO" title, but isn't sufficiently supported by the organization, his/her chances of falling hard are quite high these days... The bigger the headlines of the breach, the harder the fall of the CISO.
What can CISOs do to be more effective on the job, and risk less when the cyber incident inevitably happens ?
- The CISO function should be independent, try to convince your senior management.
- Avoid reporting into a function that is responsible for implementing security (eg. CIO, CTO, COO);
- Establish a Cybersecurity board in which C-Levels are informed and make decisions on risks;
- Report the status of Cybersecurity risks to the Supervisory board.
- Adopt a continual improvement Risk Management program to identify, mitigate, monitor, report on risks;
- Implement an Incident Management process to manage, but also to report on incidents and lessons learned;
- In general, don't keep risks in your pocket, but disclose them to the relevant stakeholders;
- If all else fails, leave while you can - when the culture is toxic, this might be your preferred option.
Pro CISO can help the CISO to influence his/her senior stakeholders with experience-backed strategic advisory, in addition to suggesting tools and services for implementing efficient and effective Cybersecurity programs.
The DarkReading article