The full implications of the recent jury conviction of former Uber chief security officer Joe Sullivan have not been described well to the community at large. The cyber community knows what a breach means and what it takes to emerge from it. But we must look at the intent, the approach, and the outcome, and a simple guilty verdict does not do it justice.
Yes, the word of the law – disclosure – was violated, so it makes for an easy verdict. However, it’s important to understand and explain the circumstances – the pain of being breached, the loss of valuable consumer information, the executive pressure, the criticism of the public eye, the government agency pressure, and the recovery.
It's impossible for one person – the CISO – to manage all of these. Therefore, holding just one person accountable and liable in a team effort situation sets a bad precedent. Worse, it puts the whole cyber community, particularly CISOs, on edge, knowing they are an easy scapegoat in these circumstances. The hackers are the criminals. Let’s rally against them, not our own. I am not judging this particular case but offering my opinion before this becomes a ‘scapegoat’ precedent.
So, what must change?
First and foremost, each board and/or C-suite team must establish a clear engagement plan describing how the company must respond or prepare for an inevitable breach. The CISO should design the plan but have approval from the executive team, including legal. Second, the company must establish clear criteria and thresholds for exposures. Without this, a plan is impotent.
One example of a criterion: the loss of a customer’s private data. Within this, we need to establish thresholds – the quantity of customer data lost/stolen along with the PII information it contained. It’s imperative for us to be as specific as possible to execute a standardized plan that leaves no room for ambiguity and, therefore, questionable decisions and actions.
It's perfectly reasonable to add a new dimension/threshold later based on new information from a breach. If the criteria are established clearly, we then must understand and document when and what the organization must disclose to government agencies, such as the FBI and the FTC, and when and what information gets disclosed to the public. This code of behavior and actions makes for a solid CISO response plan and saves the company and the individual – the CISO in most cases.
Create synergies between CISOs and the executive team
CISOs are a core part of the C-suite team and answerable to the board. They have a heavy burden on their shoulders, and the company must protect them with the best corporate/legal advice, budget, staff, and above all, the full C-suite, particularly the CEO’s, unwavering support. The legal team has an essential partnership with the CISO. Without this, we ask the CISO to take a risk in taking the highest-profile job in cybercrime without the necessary support.
The impact of the Uber case
Much has been unexplained about the Uber case to the broader community. The wrongdoing was hiding the breach from the public and government agencies. Possibly even the act of paying off the hackers. But what happened behind the scenes regarding response action, the discussions within the leadership team, and the reasons why disclosures were not made knowingly are largely unexplained.
Why would a high-profile team, with all the resources at their disposal, consciously work against the word of the law? Such are the pressures of being in the cyber community, particularly the CISO. We must not put the lens on the CISO every single time, but rather inspect if the CISO and their team had all the resources necessary provided to them so they could act responsibly and effectively. But I fear that this case will make it harder for CISOs and their teams to operate, make them wary of big moves, and put them on the defensive, thus making it easier for adversaries to breach/attack/debilitate our companies. Unless we rally against the adversaries and actively seek to not find scapegoats – CISOs – we will fail in our duties as good corporate citizens and cyber defenders.
What do CISOs need to succeed? In a tangible form, they need a proper budget – both planned and discretionary (ad-hoc), proper staffing and/or augmentation with service providers, and above all, the right legal advice and guidance during a breach. Most importantly, CISOs need the full support of the executive team and board from day one.
CISOs also need to enhance collaboration, both with the peer community and law enforcement agencies, so it becomes a shared responsibility. It goes unsaid that, using the budget and staff, CISOs need to invest in the right tools that will help get them proper visibility of their landscape and then automate the implementation of their operational processes. We must look at machine assistance as the next frontier, through AI-based insights and recommendations, and process automation. CISOs simply cannot scale and protect corporations without appropriate next-gen tool investments.
Karthik Kannan, chief executive officer, Anvilogic