On May 4, 2023, U.S. District Judge William Orrick sentenced former Uber CISO and former DOJ cybercrime prosecutor Joe Sullivan to three years of probation and 200 hours of community service for his role in concealing a massive data breach at Uber from the public and from the FTC. While the court rejected the government’s request for 15 months of jail for the former prosecutor, the court also did not accept Sullivan’s assertions that his activities were simply “normal” activities for a CISO in response to a data breach. The prosecution noted that the many letters of support he received from members of the cybersecurity community did not understand the nature and facts of the Uber case and that fears expressed by CISOs that they could face criminal prosecution for simply doing their jobs reflected the fact that these CISOs “don’t have a clear picture of what happened” in the Sullivan case. The judge also emphasized the fact that Uber, in general, and Sullivan, in particular, failed in their obligations to protect the public from the breach and obstructed the FTC investigation and response to a previous data breach.
While Sullivan was able to avoid a prison sentence, the case raises serious questions about how CISOs can ensure that they have a successful tenure with an organization, that they can ensure that their voice is heard and responded to and how they can ensure that they do not end up left hanging by their employer. Of course, there is no substitute for competence and hard work, but any CISO can expect data breaches, incidents and crises. That is the nature of the profession. There are a few things a CISO can do to protect themselves and their role within an organization from the outset.
A chief information security officer (CISO) is responsible for the security of an organization’s information systems and data. They develop and implement security policies and procedures and oversee the security of the organization’s networks, systems and applications.
It is important for CISOs to have clear lines of reporting, clearly defined responsibilities and clear visibility to the CEO, president and the board of directors. This ensures that the CISO has the authority and resources they need to do their job effectively.
Clear lines of reporting allow the CISO to communicate effectively with senior management and other stakeholders. This is essential for ensuring that security risks are properly identified and addressed.
Clearly defined responsibilities ensure that the CISO is held accountable for their actions. This is important for ensuring that the CISO is taking the necessary steps to protect the organization’s information systems and data.
Clear visibility to the CEO, president and the board of directors allows the CISO to keep them informed of security risks and incidents. This is essential for ensuring that senior management is aware of the security risks facing the organization and can take steps to mitigate them.
The job description for a CISO should clearly outline the CISO’s lines of reporting, responsibilities and visibility to senior management. This will help to ensure that the CISO is able to do their job effectively and that the organization’s information systems and data are protected.
Here are some additional details on the importance of each of these factors:
Clear lines of reporting: This allows the CISO to communicate effectively with senior management and other stakeholders. It also ensures that the CISO has the authority to take action on security risks.
Clearly defined responsibilities: This helps to ensure that the CISO is held accountable for their actions. It also helps to ensure that the CISO is taking the necessary steps to protect the organization’s information systems and data.
Clear visibility to the CEO, president and the board of directors: This allows the CISO to keep them informed of security risks and incidents. It also helps to ensure that senior management is aware of the security risks facing the organization and can take steps to mitigate them.
By having clear lines of reporting, clearly defined responsibilities and clear visibility to senior management, CISOs can effectively protect their organization’s information systems and data.
By contract, the CISO can define things like who has ultimate responsibility for whether and how to report a data breach, whether and how to retain outside consultants, including forensic consultants, what technology to deploy and when and what resources are necessary to meet legal and other requirements by creating a data breach response plan. This plan should be tailored to the specific needs of the organization and should include clear roles and responsibilities, as well as procedures for reporting, investigating and responding to data breaches.
The plan should also identify the resources that will be needed to respond to a data breach, such as personnel, technology and funding. It is important to have a plan in place so that the organization can respond quickly and effectively to a data breach. This will help to minimize the damage and protect the organization’s reputation.
Here are some specific steps that CISOs can take to define these things:
By taking these steps, CISOs can help to ensure that their organizations are prepared to respond to data breaches in a timely and effective manner. The same principles apply to preventative measures, risk assessments and mitigation strategies.
The CISO is responsible for the security of an organization’s information systems and data. They play a critical role in protecting the organization from cyberattacks, data breaches and other security threats. To be effective, the CISO needs to have visibility with the CEO and president. This means that they need to be able to communicate directly with the top executives of the organization and keep them informed about security risks and incidents. This reporting structure should be documented in writing.
The CISO also needs to be able to pull resources as needed. This means that they need to have the authority to allocate budget and staff to security initiatives. Finally, the CISO needs to be able to bring security and compliance matters directly to the attention of the general counsel and the board of directors. This means that they need to have a direct line of communication with these individuals and be able to brief them on security issues in a timely manner.
The new SEC requirements for cybersecurity require public companies to have a robust cybersecurity program in place. This program must include:
The SEC also requires that the board of directors regularly be briefed on cybersecurity issues. This briefing should include information on the company’s cybersecurity program, any security incidents that have occurred and the company’s plans to mitigate risks. Make sure that this is reflected in the CISO’s job description and duties.
CISOs are responsible for the security of an organization’s information systems and data and they are often held accountable for any security breaches that occur. Both the Sullivan/Uber criminal case and the SolarWinds/SUNBURST civil case against the company’s CISO demonstrate the need for CISOs to have personal protection as part of their jobs. To protect themselves from civil and criminal liability, CISOs should ensure that they have the following:
A CISO’s exit strategy—what they should do when all else fails—is important because it can help to protect the organization in the event that the CISO leaves the company. An effective exit strategy may include a ‘golden parachute,’ which is a financial incentive to leave the company, and relief from noncompete or nondisclosure provisions. This can help to ensure that the CISO does not take confidential information with them when they leave the company while protecting the CISO’s reporting requirements and independent judgment. Thus, a CISO who quits a company—because that company has refused to comply with the law or policy with respect to data security or is engaged in fraudulent or deceptive practices with respect to security or privacy—may be able to seek relief from non-compete provisions and should not be precluded by contract from mandatory reporting requirements under SEC or other regulations.
Mandatory arbitration provisions are also important to consider. These provisions require that any disputes between the employer and employee be resolved through arbitration rather than through the courts. Arbitration can be a faster and cheaper way to resolve disputes, but it also has some disadvantages. For example, arbitration is often confidential, which means that the public cannot learn about the results of the arbitration. Additionally, arbitrators are not required to follow the same rules as judges, which can make it difficult to appeal an arbitration decision.
CISOs should carefully read any mandatory arbitration provisions before agreeing to them. They should also consider the risks and benefits of arbitration before making a decision.
Here are some additional tips for CISOs when negotiating an exit strategy:
Be prepared to negotiate. The company may not be willing to agree to all of your demands, but you may be able to get them to agree to some of them.
Get everything in writing. Make sure that all of the terms of your exit strategy are in writing so there is no confusion later on.
Be aware of the risks. There are always risks associated with leaving a job, so be sure to weigh the risks and benefits before making a decision.
Consult with an attorney. If you have any questions or concerns about your exit strategy, be sure to consult with an attorney.
Assignment of inventions agreements are important for CISOs and companies because they protect the company’s intellectual property rights. These agreements typically state that any inventions created by the CISO during their employment with the company will be automatically assigned to the company. This is important because it ensures that the company has the exclusive right to exploit any inventions the CISO creates, which can be valuable assets.
CISOs can retain the rights to preexisting inventions by making sure to list them as being exempt from assignment in their assignment of inventions agreement. This means that the company will not own the rights to these inventions, and the CISO will be able to exploit them however they see fit.
CISOs can also reserve ownership of inventions created on their own time or inventions not directly related to their work as CISO by making sure to include specific language in their assignment of inventions agreement. This language should state that the CISO will retain ownership of any inventions that are not created during their regular working hours or that are not related to their work as CISO.
It is important to have these exclusions in writing because it provides clear and unambiguous guidance for both the CISO and the company. This can help to avoid any disputes or misunderstandings down the road.
Here are some additional tips for CISOs when it comes to assignment of inventions agreements:
It is also important for companies to have a clear policy on intellectual property ownership. This policy should be communicated to all employees, including CISOs. The policy should state that the company owns all inventions created by employees during their employment unless otherwise specified in an assignment of inventions agreement.
By following these tips, CISOs and companies can protect their intellectual property rights and avoid any potential disputes.
It is important for CISOs to reveal to new employers any outside work they intend to engage in, including teaching, training, consulting, advising and any board memberships they may have that may conflict with their employment. This is because any outside work could potentially create a conflict of interest, which could harm the company. For example, if a CISO is teaching a class on cybersecurity to a company that is a competitor of their new employer, this could give the competitor an unfair advantage. Additionally, if a CISO is consulting for a company that is a vendor to their new employer, this could create a situation where the CISO is privy to confidential information that they could use to benefit their consulting client.
CISOs should also disclose any affiliations with trade organizations or significant ownership interests in companies that may act as vendors, suppliers or consultants to the company. This is because these affiliations could create the appearance of a conflict of interest, even if there is no actual conflict. For example, if a CISO is a member of the board of directors of a company that is a vendor to their new employer, this could create the appearance that the CISO is biased in favor of that company.
It is important for CISOs to put all of this information in writing and get permission from their new employer before engaging in any outside work. This will help to ensure that there is no misunderstanding about the potential conflicts of interest and that the CISO is not violating any company policies.
Here are some additional tips for CISOs who are considering engaging in outside work:
CISOs who have these protections in place are better able to protect themselves from the financial and reputational damage that can result from cyberattacks.
The importance of continued training for CISOs cannot be overstated. The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging all the time. To stay ahead of the curve, CISOs need to be constantly learning and developing their skills.
There are a number of ways that CISOs can continue their training. One way is to attend conferences and workshops. This is a great way to learn about the latest trends in cyber security and network with other professionals in the field. Another way to continue training is to read industry publications and blogs. This will help CISOs stay up-to-date on the latest threats and vulnerabilities.
CISOs can also continue their training by taking online courses or enrolling in graduate school. This will give them the opportunity to learn from experts in the field and earn a degree that will help them advance their career.
In addition to continuing their own training, CISOs should also encourage their staff to do the same. A well-trained staff is essential for any organization that wants to protect itself from cyberattacks. CISOs can provide their staff with training on a variety of topics, including security awareness, incident response, and threat hunting.
CISOs should also get in writing a commitment from their employer to permit relevant training. This will ensure they have the resources they need to stay up-to-date on the latest threats and vulnerabilities. It will also help to protect them from being fired if they take time off to attend training.
By continuing their training, CISOs can help to protect their organizations from cyberattacks. They can also help to advance their careers and stay ahead of the curve in the ever-changing world of cybersecurity.
Here are some additional benefits of continued training for CISOs:
CISOs who are committed to continued training are more likely to be successful in their careers. They are also more likely to be able to protect their organizations from cyberattacks.
In addition to the above, CISOs should also:
By taking these steps, CISOs can help to protect their organizations from cyberattacks and the associated risks. The CISO and the employer should agree in writing to commitments related to training, conferences and other professional activities.
It is important for a CISO and their employer to agree in writing about performance metrics. This will help to ensure that both parties are on the same page about what is expected of the CISO, and it will provide a framework for evaluating the CISO’s performance.
The CISO should have clearly defined goals and measures of success that they can control. This will help to ensure that the CISO is held accountable for their performance, and it will also help to motivate them to achieve their goals.
If there are assumptions made about what is necessary to meet these goals and metrics, those should be put in writing as well. This will help to avoid any misunderstandings or disagreements down the road.
Some examples of performance metrics that could be used to evaluate a CISO’s performance include:
It is important to note that these are just a few examples, and the specific metrics that are used will vary depending on the organization. By agreeing in writing about performance metrics and having clearly defined goals and measures of success, an organization can help ensure that its CISO is successful in the role.
The role of the CISO has become increasingly important in today’s digital landscape. However, as the case of Joe Sullivan has shown, the responsibilities of this role can also come with significant risks. CISOs should ensure that their employment contracts and agreements with their employers include provisions that protect them from legal and financial liabilities to help them do their job effectively and with greater peace of mind.
Vaguely relevant but very cyber image from Dall-EOne pattern I spotted after looking at the evolution of IT and security organizations…
The takedown this week of a massive phishing-as-a-service (PhaaS) operation spanned law enforcement agencies from both sides of the Atlantic…
Security operations centers (SOCs) are the front lines in the battle against cyber threats. They use a diverse array of…
Authors/Presenters: *Sina Sajadmanesh, Ali Shahin Shamsabadi, Aurélien Bellet, Daniel Gatica-Perez* Many thanks to USENIX for publishing their outstanding USENIX Security…
FBI, CISA, EC3, and NCSC-NL issued an urgent advisory highlighting the use of new TTPs and IOCs by the Akira…