SAN FRANCISCO — The life of a chief information security officer can be rough.
Your budget is never what you think it needs to be, you’re often widely viewed within the organization as a cost center and an obstacle, your influence over larger business decisions that impact security is usually limited, and if there is a damaging breach or incident within an organization, the CISO is the first person that executive leadership and the public look to blame.
Two incidents last year illustrate some of the difficulties of the job: former Uber CISO Joe Sullivan’s conviction for obstructing a Federal Trade Commission investigation of a 2016 ransomware attack on the company, and former Twitter security head Peiter “Mudge” Zatko filing a whistleblower complaint alleging widespread security failures and vulnerabilities in the social media company’s platform that were being ignored by executive leadership.
At the RSA 2023 Conference in San Francisco, a number of experts made the case that better coordination between a company’s security and legal shops can go a long way towards ensuring that companies practice good business and good security at the same time.
Click here for all of SC Media's coverage from the RSA Conference 2023
Robin Sundaram, CISO at RLEX, said the temptation to look for scapegoats in the wake of a cyber incident can be intense — and the larger the breach, the bigger the scalp that shareholders and executives tend to demand.
“I see it myself. We’re doing investigations and something awful happens, the first instinct [is to say] ‘Who did something wrong and should we get rid of them?’” said Sundaram.
That reality has many CISOs sitting in a perpetual hot seat. When combined with a lack of budget or authority over insecure company operations, it’s not surprising that while the average C-Suite executive’s tenure at a company is about five years, the average CISO tenure tends to last just 26 months.
Jon Olson, general counsel at Blackbaud, understands this dynamic well. His company was forced to pay a $3 million settlement to the Securities and Exchange Commission last month regarding claims that they misled the agency about the impact of a 2020 ransomware attack. In the early days following the disclosure, the company said that donor bank account information and Social Security numbers had not been accessed by attackers during the breach, a claim they had to walk back days later when their internal IT investigators learned otherwise.
He said the episode led to an evolution between Blackbaud’s legal and CISO offices, including a pledge to better communicate and coordinate in the face of future cyber incidents to ensure they’re investigating incidents while holding up their legal obligations.
“I’ve seen that relationship develop from a very embryonic relationship to a very, very close relationship,” in the years since, Olson said.
Lessons from the conviction of ex-Uber CISO
The Uber conviction has become something of a flashpoint among many CISOs, with many expressing the belief that Sullivan was unfairly scapegoated by his company and the justice system, and worry they could one day fall victim to similar circumstances.
Others in the security and legal industry strongly disagree with the argument that Sullivan was unfairly railroaded, pointing out he was a former Assistant U.S. Attorney who should have been well aware of his legal obligations, and that the primary lesson executives should take from his conviction is that attempting to cover up a hack is plainly illegal.
“CISOs must not obstruct or misdirect an investigation, period. That’s not new and will not change,” Kathleen McGee, a partner in the tech group and white collar criminal defense practices at Lowenstein Sandler LLP, told SC Media following Sullivan’s conviction last year.
But some push back on that notion, saying that many CISOs are, in a sense, at the mercy of larger cultural forces within their company, where higher level executives can and do make the call on whether and when to be transparent about damaging incidents or news. Placing all accountability on the CISO for how incidents are communicated to the government and the public lets the CEO, CIO and other executives off the hook for prioritizing business considerations or reputation over transparency.
Andrea Hoy, a senior security advisor at legal firm Troutman Pepper and a founder and virtual CISO of A.Hoy and Associates, said the broader culture within a particular company is an important indicator of how they might approach transparency in the wake of a security incident. Often it’s apparent within the first few days of a CISO’s tenure what kind of support or pressures they will face.
“Culture seems to be really important. Every time you join another organization you always immediately feel the culture…you’ll get into organizations as CISO where maybe you’ll find something that isn’t exactly appropriate on a server, and depending on what the culture is at the company they may say, ‘No, let’s not say anything outside our organization about that,” said Hoy. "Then it really turns into an ethical question for us as a CISO. What do we do? How do we report things, do we leave the organization? How far do you push it and where are you going to get support?”
