Hot Topics
CISO Suite Cyberlaw Cybersecurity Data Security Featured Incident Response News Security Boulevard (Original) Spotlight 

A CISO Employment Contract May Mean the Difference Between Success and Jail

Avatar photo by Mark Rasch on May 9, 2023

On May 4, 2023, U.S. District Judge William Orrick sentenced former Uber CISO and former DOJ cybercrime prosecutor Joe Sullivan to three years of probation and 200 hours of community service for his role in concealing a massive data breach at Uber from the public and from the FTC. While the court rejected the government’s request for 15 months of jail for the former prosecutor, the court also did not accept Sullivan’s assertions that his activities were simply “normal” activities for a CISO in response to a data breach. The prosecution noted that the many letters of support he received from members of the cybersecurity community did not understand the nature and facts of the Uber case and that fears expressed by CISOs that they could face criminal prosecution for simply doing their jobs reflected the fact that these CISOs “don’t have a clear picture of what happened” in the Sullivan case. The judge also emphasized the fact that Uber, in general, and Sullivan, in particular, failed in their obligations to protect the public from the breach and obstructed the FTC investigation and response to a previous data breach.

While Sullivan was able to avoid a prison sentence, the case raises serious questions about how CISOs can ensure that they have a successful tenure with an organization, that they can ensure that their voice is heard and responded to and how they can ensure that they do not end up left hanging by their employer. Of course, there is no substitute for competence and hard work, but any CISO can expect data breaches, incidents and crises. That is the nature of the profession. There are a few things a CISO can do to protect themselves and their role within an organization from the outset.

Clear Understanding of Roles, Responsibilities and Reporting

A chief information security officer (CISO) is responsible for the security of an organization’s information systems and data. They develop and implement security policies and procedures and oversee the security of the organization’s networks, systems and applications.

It is important for CISOs to have clear lines of reporting, clearly defined responsibilities and clear visibility to the CEO, president and the board of directors. This ensures that the CISO has the authority and resources they need to do their job effectively.
Clear lines of reporting allow the CISO to communicate effectively with senior management and other stakeholders. This is essential for ensuring that security risks are properly identified and addressed.

Clearly defined responsibilities ensure that the CISO is held accountable for their actions. This is important for ensuring that the CISO is taking the necessary steps to protect the organization’s information systems and data.

Clear visibility to the CEO, president and the board of directors allows the CISO to keep them informed of security risks and incidents. This is essential for ensuring that senior management is aware of the security risks facing the organization and can take steps to mitigate them.

The job description for a CISO should clearly outline the CISO’s lines of reporting, responsibilities and visibility to senior management. This will help to ensure that the CISO is able to do their job effectively and that the organization’s information systems and data are protected.

Here are some additional details on the importance of each of these factors:

Clear lines of reporting: This allows the CISO to communicate effectively with senior management and other stakeholders. It also ensures that the CISO has the authority to take action on security risks.
Clearly defined responsibilities: This helps to ensure that the CISO is held accountable for their actions. It also helps to ensure that the CISO is taking the necessary steps to protect the organization’s information systems and data.
Clear visibility to the CEO, president and the board of directors: This allows the CISO to keep them informed of security risks and incidents. It also helps to ensure that senior management is aware of the security risks facing the organization and can take steps to mitigate them.

By having clear lines of reporting, clearly defined responsibilities and clear visibility to senior management, CISOs can effectively protect their organization’s information systems and data.

Written Plans

By contract, the CISO can define things like who has ultimate responsibility for whether and how to report a data breach, whether and how to retain outside consultants, including forensic consultants, what technology to deploy and when and what resources are necessary to meet legal and other requirements by creating a data breach response plan. This plan should be tailored to the specific needs of the organization and should include clear roles and responsibilities, as well as procedures for reporting, investigating and responding to data breaches.

The plan should also identify the resources that will be needed to respond to a data breach, such as personnel, technology and funding. It is important to have a plan in place so that the organization can respond quickly and effectively to a data breach. This will help to minimize the damage and protect the organization’s reputation.

Here are some specific steps that CISOs can take to define these things:

  • Identify the key stakeholders who will be involved in responding to a data breach. This may include the CEO, CFO, CIO, legal counsel and other senior executives. While flexibility is important, some of these should be defined in writing and the conclusions in those written documents should have some degree of enforceability.
  • Determine the roles and responsibilities of each stakeholder. Does the general counsel or the CISO determine whether a “breach” has occurred? Does the CIO or CISO make final determinations on acquiring technology that has security implications? Again, a written document with procedures is important.
  • Develop a process for reporting data breaches. This process should be clear, concise and easy to follow. The more granular (and adaptable), the better. The idea is to come up with a process to answer questions rather than answering the questions outright.
  • Identify the resources that will be needed to respond to a data breach. This may include personnel, technology and funding. Define in writing the CISO’s role in the budget process, the procurement process, the hiring process and the evaluation and assessment process.
  • Develop a plan for investigating data breaches. This plan should include steps for collecting evidence, analyzing data and identifying the root cause of the breach. Define the role of the CISO in this process, including the CISO’s role in working with insurers, consultants, outside counsel, forensics investigators and, ultimately, litigators.

By taking these steps, CISOs can help to ensure that their organizations are prepared to respond to data breaches in a timely and effective manner. The same principles apply to preventative measures, risk assessments and mitigation strategies.

The CISO, the President and the Board

The CISO is responsible for the security of an organization’s information systems and data. They play a critical role in protecting the organization from cyberattacks, data breaches and other security threats. To be effective, the CISO needs to have visibility with the CEO and president. This means that they need to be able to communicate directly with the top executives of the organization and keep them informed about security risks and incidents. This reporting structure should be documented in writing.

The CISO also needs to be able to pull resources as needed. This means that they need to have the authority to allocate budget and staff to security initiatives. Finally, the CISO needs to be able to bring security and compliance matters directly to the attention of the general counsel and the board of directors. This means that they need to have a direct line of communication with these individuals and be able to brief them on security issues in a timely manner.

The new SEC requirements for cybersecurity require public companies to have a robust cybersecurity program in place. This program must include:

  • A risk assessment
  • A plan to mitigate risks
  • Procedures for reporting and responding to security incidents
  • Training for employees on cybersecurity best practices

The SEC also requires that the board of directors regularly be briefed on cybersecurity issues. This briefing should include information on the company’s cybersecurity program, any security incidents that have occurred and the company’s plans to mitigate risks. Make sure that this is reflected in the CISO’s job description and duties.

Protecting the CISO

CISOs are responsible for the security of an organization’s information systems and data and they are often held accountable for any security breaches that occur. Both the Sullivan/Uber criminal case and the SolarWinds/SUNBURST civil case against the company’s CISO demonstrate the need for CISOs to have personal protection as part of their jobs. To protect themselves from civil and criminal liability, CISOs should ensure that they have the following:

  • D&O or other liability insurance: This type of insurance can help to cover the costs of legal fees and damages if a CISO is sued. This is in addition to any cyberinsurance coverage the company may have. The D&O policy should include a duty to defend, a duty to indemnify and a duty to advance payment of fees and/or expenses, but should also allow the CISO to select their own counsel.
  • A duty of the company to indemnify and hold harmless: This means that the company will cover any legal costs incurred by the CISO as a result of their role in the organization as well as any fines or penalties incurred. However, in most cases, criminal fines cannot be indemnified and, of course, in the event of a criminal conviction, the CISO may be forced to repay funds advanced. Finally, as Joe Sullivan came close to learning, in some circumstances, it is the CISO—not the company—that faces prison time.
  • Express whistleblower protections: This means that the CISO can report any cybersecurity issues without fear of retaliation. Document in writing any whistleblower reporting strategies the company deploys.

Exit Strategy

A CISO’s exit strategy—what they should do when all else fails—is important because it can help to protect the organization in the event that the CISO leaves the company. An effective exit strategy may include a ‘golden parachute,’ which is a financial incentive to leave the company, and relief from noncompete or nondisclosure provisions. This can help to ensure that the CISO does not take confidential information with them when they leave the company while protecting the CISO’s reporting requirements and independent judgment. Thus, a CISO who quits a company—because that company has refused to comply with the law or policy with respect to data security or is engaged in fraudulent or deceptive practices with respect to security or privacy—may be able to seek relief from non-compete provisions and should not be precluded by contract from mandatory reporting requirements under SEC or other regulations.

Mandatory arbitration provisions are also important to consider. These provisions require that any disputes between the employer and employee be resolved through arbitration rather than through the courts. Arbitration can be a faster and cheaper way to resolve disputes, but it also has some disadvantages. For example, arbitration is often confidential, which means that the public cannot learn about the results of the arbitration. Additionally, arbitrators are not required to follow the same rules as judges, which can make it difficult to appeal an arbitration decision.

CISOs should carefully read any mandatory arbitration provisions before agreeing to them. They should also consider the risks and benefits of arbitration before making a decision.

Here are some additional tips for CISOs when negotiating an exit strategy:

Be prepared to negotiate. The company may not be willing to agree to all of your demands, but you may be able to get them to agree to some of them.
Get everything in writing. Make sure that all of the terms of your exit strategy are in writing so there is no confusion later on.
Be aware of the risks. There are always risks associated with leaving a job, so be sure to weigh the risks and benefits before making a decision.
Consult with an attorney. If you have any questions or concerns about your exit strategy, be sure to consult with an attorney.

Invent and Create

Assignment of inventions agreements are important for CISOs and companies because they protect the company’s intellectual property rights. These agreements typically state that any inventions created by the CISO during their employment with the company will be automatically assigned to the company. This is important because it ensures that the company has the exclusive right to exploit any inventions the CISO creates, which can be valuable assets.

CISOs can retain the rights to preexisting inventions by making sure to list them as being exempt from assignment in their assignment of inventions agreement. This means that the company will not own the rights to these inventions, and the CISO will be able to exploit them however they see fit.

CISOs can also reserve ownership of inventions created on their own time or inventions not directly related to their work as CISO by making sure to include specific language in their assignment of inventions agreement. This language should state that the CISO will retain ownership of any inventions that are not created during their regular working hours or that are not related to their work as CISO.

It is important to have these exclusions in writing because it provides clear and unambiguous guidance for both the CISO and the company. This can help to avoid any disputes or misunderstandings down the road.

Here are some additional tips for CISOs when it comes to assignment of inventions agreements:

  • Read the agreement carefully before signing it.
  • Make sure you understand all of the terms and conditions.
  • If you have any questions, ask your lawyer.
  • Do not sign the agreement if you are not comfortable with the terms.
  • Keep a copy of the agreement for your records.

It is also important for companies to have a clear policy on intellectual property ownership. This policy should be communicated to all employees, including CISOs. The policy should state that the company owns all inventions created by employees during their employment unless otherwise specified in an assignment of inventions agreement.

By following these tips, CISOs and companies can protect their intellectual property rights and avoid any potential disputes.

Outside Work/Research/Board Memberships

It is important for CISOs to reveal to new employers any outside work they intend to engage in, including teaching, training, consulting, advising and any board memberships they may have that may conflict with their employment. This is because any outside work could potentially create a conflict of interest, which could harm the company. For example, if a CISO is teaching a class on cybersecurity to a company that is a competitor of their new employer, this could give the competitor an unfair advantage. Additionally, if a CISO is consulting for a company that is a vendor to their new employer, this could create a situation where the CISO is privy to confidential information that they could use to benefit their consulting client.

CISOs should also disclose any affiliations with trade organizations or significant ownership interests in companies that may act as vendors, suppliers or consultants to the company. This is because these affiliations could create the appearance of a conflict of interest, even if there is no actual conflict. For example, if a CISO is a member of the board of directors of a company that is a vendor to their new employer, this could create the appearance that the CISO is biased in favor of that company.

It is important for CISOs to put all of this information in writing and get permission from their new employer before engaging in any outside work. This will help to ensure that there is no misunderstanding about the potential conflicts of interest and that the CISO is not violating any company policies.

Here are some additional tips for CISOs who are considering engaging in outside work:

  • Be transparent with your employer about your plans.
  • Get permission in writing before engaging in any outside work.
  • Disclose any potential conflicts of interest.
  • Avoid working for or with companies that are competitors of your employer.
  • Avoid working for or with companies that are vendors, suppliers, or consultants to your employer.
  • Avoid working for or with companies that you have a financial interest in.
  • Be mindful of the appearance of impropriety.
  • Always act in the best interests of your employer.

CISOs who have these protections in place are better able to protect themselves from the financial and reputational damage that can result from cyberattacks.

Training and Education

The importance of continued training for CISOs cannot be overstated. The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging all the time. To stay ahead of the curve, CISOs need to be constantly learning and developing their skills.

There are a number of ways that CISOs can continue their training. One way is to attend conferences and workshops. This is a great way to learn about the latest trends in cyber security and network with other professionals in the field. Another way to continue training is to read industry publications and blogs. This will help CISOs stay up-to-date on the latest threats and vulnerabilities.

CISOs can also continue their training by taking online courses or enrolling in graduate school. This will give them the opportunity to learn from experts in the field and earn a degree that will help them advance their career.

In addition to continuing their own training, CISOs should also encourage their staff to do the same. A well-trained staff is essential for any organization that wants to protect itself from cyberattacks. CISOs can provide their staff with training on a variety of topics, including security awareness, incident response, and threat hunting.

CISOs should also get in writing a commitment from their employer to permit relevant training. This will ensure they have the resources they need to stay up-to-date on the latest threats and vulnerabilities. It will also help to protect them from being fired if they take time off to attend training.

By continuing their training, CISOs can help to protect their organizations from cyberattacks. They can also help to advance their careers and stay ahead of the curve in the ever-changing world of cybersecurity.

Here are some additional benefits of continued training for CISOs:

  • Increased job satisfaction
  • Improved job performance
  • Increased career opportunities
  • Reduced risk of job loss
  • Increased earning potential

CISOs who are committed to continued training are more likely to be successful in their careers. They are also more likely to be able to protect their organizations from cyberattacks.

In addition to the above, CISOs should also:

  • Keep up-to-date with the latest cybersecurity threats and trends.
  • Implement strong cybersecurity measures.
  • Educate employees about cybersecurity best practices.
  • Have a plan in place to respond to a cyberattack.

By taking these steps, CISOs can help to protect their organizations from cyberattacks and the associated risks. The CISO and the employer should agree in writing to commitments related to training, conferences and other professional activities.

Metrics and Measurements

It is important for a CISO and their employer to agree in writing about performance metrics. This will help to ensure that both parties are on the same page about what is expected of the CISO, and it will provide a framework for evaluating the CISO’s performance.

The CISO should have clearly defined goals and measures of success that they can control. This will help to ensure that the CISO is held accountable for their performance, and it will also help to motivate them to achieve their goals.

If there are assumptions made about what is necessary to meet these goals and metrics, those should be put in writing as well. This will help to avoid any misunderstandings or disagreements down the road.

Some examples of performance metrics that could be used to evaluate a CISO’s performance include:

  • The number of security incidents that occur
  • The cost of security incidents
  • Company projects that have been enabled or enhanced due to security performance
  • The time it takes to resolve security incidents
  • The level of employee satisfaction with security
  • The level of customer satisfaction with security

It is important to note that these are just a few examples, and the specific metrics that are used will vary depending on the organization. By agreeing in writing about performance metrics and having clearly defined goals and measures of success, an organization can help ensure that its CISO is successful in the role.

Conclusion

The role of the CISO has become increasingly important in today’s digital landscape. However, as the case of Joe Sullivan has shown, the responsibilities of this role can also come with significant risks. CISOs should ensure that their employment contracts and agreements with their employers include provisions that protect them from legal and financial liabilities to help them do their job effectively and with greater peace of mind.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark