Uber and CISO Accountability

Uber Trial: A Lost Opportunity For Cyber Governance (forbes.com)

The controversial trial and conviction of Joe Sullivan, former CISO for Uber has generated an enormous amount of discussion culminating in conflicting and divisive opinions. The above linked Forbes article is very well written, and one of the best, most coherent we’ve seen. (Thanks Bob Carver for the share, and kick off of subsequent discussions around this.)

In the article, Jody R Westby presents some significant points about the case and how it was handled. It's worth the read.

Hindsight being 2020, here are some of the salient facts as we understand them. Joe Sullivan spent two and a half years as a federal prosecutor before spending time at eBay, Paypal and Facebook. He then spent just under three years at Uber before going to Cloudflare.?Well respected industry leader.

While at Uber, on November 3, 2016, he learned of a breach that impacted 57 million Uber users. Those are facts that we know. What happened next is viewed through as many filters as there are news outlets on the internet (including ours), but as a CISO, he handled the problem based on his extensive experience and industry knowledge. Faced with a ransom he drew up paperwork that had the attackers commit to not releasing the information, paid the hackers $100k and proceeded to shore up controls to help prevent such exploits in the future. In response to a time-sensitive incident, he made decisions to best protect the company, investors, and clients based on the information available at that time.

Now hindsight again is 2020. And given all that’s happened since, including legislation in 2018, this action may be seen as poor judgement.?Under current regulations there are disclosures that legally must be made, at the very least. Joe Sullivan acted in response to an immediate corporate threat. He did notify the CEO as evidenced by text conversations. The CEO knew and at that point, if the CEO chose not to notify the board, that decision is out of his hands. Joe Sullivan did what he was authorized by this position to do. His responsibility was to protect the company, the associated shareholders, and the clients of the company.?His obligation as the CISO was to protect the data.?With the information at that time, the best course of action to minimize the impact was to limit exposure. It appeared to be a simple solution. Someone found a bug, we pay a bounty, you agree not to expose the data…?The fact is ransoms are paid as a regularly accepted remediation.?The CEO was aware and approved the decision?based on the recommendation of an experienced attorney, cybersecurity leader and former prosecutor.?However, it now appears as though it’s all fallen on this CISO’s head.

This brings up the heart of the issue, and a challenge that really must be addressed: The CISO has to have a seat at the table if they are going to be held accountable. Accountability without authority, or top-level access, is not sustainable and not just, as evidenced by this ruling, and could lead to bad behavior and the opposite of transparency and best-effort data protection. What does this case prove? Well at the very least, it confirms that the crosshairs are on the CISO and sanctions that position as the scapegoat. It sets a potentially dangerous precedent, and it has cybersecurity leaders examining their roles, their contracts, and their organizations’ commitment to having them be a contributing member part of the executive decision-making team and/or board.

This has been a problem since the release of HIPAA, when some organizations, faced with the requirement of appointing a HIPAA officer, chose to simply appoint the IT person who was willing and had the most time on their hands. This has led to some devaluation of the role, which many great CISOs and other cyber leaders have, and are continuing to challenge with their undeniable contributions to the business.

In today’s environment, it is critical for cybersecurity professionals to intentionally understand business objectives, to provide business value, and to continually educate themselves on aligning technology with business objectives to support the business as they move forward. Being able to provide dynamic, accurate and current metrics, as well as visibility from a business perspective to your executive team, and ensuring that you can:

• Best serve your internal and external customers with strong data protection strategy
• Understand what compliance mandates or frameworks you are subject to
• Build a plan that is specific, intentional and executable
• Be empowered - have the right authority to perform your job
• Effectively test scenarios so that in the heat of battle, in the thick of things when adrenaline is flowing, you’re able to respond effectively with proven processes that have predictable results
• Document, document, document
• Contribute to long-term liability protection for yourself and your organization

The Cyturus Compliance Risk Tracker platform is purpose built to support those objectives, and allows you to:

1. Measure and understand your current state
2. Build a defined roadmap for prioritized improvement
3. Clearly articulate accurate Security & Risk to senior leadership, customers, auditors and legislators
4. Build business focused policies that align not just with compliance, but with your business and stakeholder objectives and provide the best level of protection
5. Manage the remediation life cycle
6. Have a plan of action when the inevitable event or incident occurs
7. Clearly document your actions

And did we mention document, document, document?

?Reach out to us at [email protected] or click here to go to our website!

#cybersecurity #riskmanagement #integratedriskmanagement #uber #legal #GRC #compliance #opinions #discuss