E40, Knock, Knock! Here is An Unsolicited guide for Uber's Leadership hurting from three cyberattacks in 2022

Uber had a data breach yesterday.

Again. for the third time in 2022.

If I were advising Uber, I outline what I would focus on.

Read on.

Stop the bleeding, patch the wound, and fix it.

but there is more.

let me lay the paradigm shift that companies big and small must recognize.

The blindspots lay in those. See,

What small and medium businesses thrive on, enterprises suck on.

Vice versa is true too.

Enterprises have massive budgets and freebies from vendors. Better Rates and better resources are reachable. Leaders at Small and medium size companies yearn for it.

It is a vicious cycle leading to peaks and valleys in performance, outcomes, and cultures, while the company grows or de-grows.

Let's go back to Uber.

Uber generates approx $25B in annual revenues.

In 10 years, they have gone from 8 cities to 10,000 cities. The company has beaten the EPS and Revenue numbers for the past four quarters(except most recently, where they shook the EPS).

Post-pandemic, they have seen strong growth. Their bookings and their platform usage have grown.

They are branding themselves as a logistics, mobility, and tech platform company.

Life is good.

Or not.

In recent times, Uber has been a ripe target for cyber attacks.

Their CISO was convicted for not reporting a massive data breach (from 2016). 57 million uber users' data was stolen.

It was a massive hit to their brand.

In 2022 alone, there have already been multiple breaches.

For a company that has everything going for them, the issue can not be about tools, talent, or technologies.

I can not imagine uber not having the right tools for any of the below reasons:

• don't have money or budget
• don't have the intelligence to focus on security
• don't have access to vendors or talent

My paradigm is-

As companies grow people's challenges take over the technology challenges.

Teams and departments build tall walls around themselves. dispersing information of visibility across departments becomes a mountainous task. Companies form teams that can act as bridges between departments. That seldom works.

The number of interconnections grows to an unmanageable number. this slows down decision-making and accountability. Visibility thins down. No one knows who makes what decision, and owns what asset.

What smaller and medium size business thrives on, becomes a pain for a large company to achieve.

For example, It is one thing for me to recommend - Secure your crown jewel or focus on what you want to protect.

but, in a $25B company who gets to decide what their crown jewel is?

• Does the CTO know?
• Does the head of logistics know?
• or should their DBA know?
• for a customer-facing application isn't application uptime a crown jewel? isn't customer data a crown jewel?

The activity to nail down the specifics becomes a massive undertaking.

There is no lack of large(read expensive) vendors who would be happy to do 6 months' review and charge a pretty penny.

but, can they fix the accountability?

and at Enterprises, they have the problem of too many tools which may or may not work with each other.

I don't think a modern MFA, Security assessments, or risk quantifications alone is the answer.

The true answer lies in the cross-section of security culture supported by well-integrated tech.

In the medium term, I would focus on

• building a common definition of risk for the company
• building a common definition of crown jewels. Must absolute protect?
• Building a security culture ground up. Fix accountability and ownership
• Zero Trust across enterprise integrations
• Aggressive and Complete Security posture assessment
• Tightening RPO and RTO across crown jewels.

So, if the Information security leadership at Uber is reading this, or you are thinking along the same lines, let this post be an outlier. This is the direction that vendors and salespeople rarely point towards. Happy to break this into a roadmap and get into a discussion.