Liability Fears Damaging CISO Role, Says Former Uber CISO

The gorwing trend of finding CISOs personally liable for security failings is making security professionals more reluctant to take up these positions.
Sullivan was convicted in 2022 of federal charges relating to the cover up of the theft of Uber drivers' and customers' personal information from 2016.
He highlighted the wider impact of recent cases of CISOs being held personally liable for security incidents at their organizations.
In addition to his own case, Sullivan cited recent charges levied by the US Securities and Exchange Commission against SolarWinds and its CISO, Tim Brown, for allegedly deliberately downplaying or failing to disclose cyber-risks while overstating the firm's security practices.
The charge statement argued that Brown is not only responsible for what SolarWinds has done in relation to security, but also has responsibility over what the firm has said about it.
In Sullivan's conviction, which he is currently appealing, the judge made it clear that if he received a similar case in the future, he would send the defendant to prison.
The average person on the street would think it reasonable that a CISO should be responsible for all aspects of an organization's security, Sullivan acknowledged.
The reality is the CISO role is unique among executive positions.
He believes there is currently a lack of regulatory clarity for CISOs, who are often arriving into insecure environments.
He believes there is a fundamental shift coming in terms of the regulation that's on the horizon in cybersecurity, which will force organizations to revise how they approach security, and current security professionals must be to facilitate this change.
To prepare for potential personal legal charges, he said CISOs must prepare themselves emotionally, financially and legally, and even have public relations in place.
Sullivan said his own case made him realize the importance of CISOs having close relationships with other parts of the organization, such as the communications team and senior leadership.
This includes spending time with internal departments to understand how they operate.
During an incident, the CISO will need to spend a lot of time with the board, particularly in light of new SEC reporting rules.
The CISO must ensure they have a security team in place they can trust to deal with the attack without him present.
Security leaders should develop incident response plans based on how fire stations work - which are designed to deal with emergencies and are planning ahead for that, e.g. shifts of teams.
Sullivan concluded by saying that he believes the security industry is about to go in one of two directions, and it is up to professionals to decide which one they want to be in.


This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 07 Dec 2023 12:30:15 +0000


Cyber News related to Liability Fears Damaging CISO Role, Says Former Uber CISO

Ex-Uber CSO: Lessons Learned from the Breach and Legal Case - BLACK HAT EUROPE 2023 - London - Former Uber CISO Joe Sullivan last week shared new details about the 2016 data breach at the company that led to his firing from Uber and, later, felony charges. The Uber Breach Sullivan was in his second year as CISO ...
10 months ago Darkreading.com
Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds - Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud ...
11 months ago Darkreading.com
CISO Conversations: Nick McKenzie and Chris Evans - In this edition of CISO Conversations, SecurityWeek discusses the role of the CISO with two CISOs from the major crowdsourced hacking organizations: Nick McKenzie at Bugcrowd and Chris Evans at HackerOne. The purpose, as always, is to help aspiring ...
6 months ago Packetstormsecurity.com
The Role of the CISO in Digital Transformation - Modern-day demands require organizations to be flexible and digitally savvy, getting work done remotely and in the public cloud as often as in a centralized physical location, if not more so. As companies continue to modernize their workflows and ...
11 months ago Darkreading.com
Liability Fears Damaging CISO Role, Says Former Uber CISO - The gorwing trend of finding CISOs personally liable for security failings is making security professionals more reluctant to take up these positions. Sullivan was convicted in 2022 of federal charges relating to the cover up of the theft of Uber ...
11 months ago Infosecurity-magazine.com
Microsoft Is Getting a New 'Outsider' CISO - In a Tuesday blog post, Microsoft executive vice president of security Charlie Bell announced that as part of its new strategic focus on security, the company will shift Bret Arsenault out of his longtime role as CISO and into a chief security ...
11 months ago Darkreading.com
Microsoft Is Getting a New 'Outsider' CISO - In a blog post on Dec. 5, Microsoft executive vice president of security Charlie Bell announced that as part of its new strategic focus on security, the company will shift Bret Arsenault out of his longtime role as CISO and into a chief security ...
11 months ago Darkreading.com
Is the vCISO model right for your business? - It's getting harder to justify not having a CISO, so many businesses that have never had a CISO are filling the gap with a virtual CISO. A vCISO, sometimes referred to as a fractional CISO or CISO-as-a-Service, is typically a part-time outsourced ...
10 months ago Darkreading.com
How the Evolving Role of the CISO Impacts Cybersecurity Startups - It helps startups striving to meet the ever-evolving needs of CISOs, who are simultaneously seeking the elusive but paramount buy-in from business users and executives. The CISO role has evolved dramatically in the past few years in response to ...
11 months ago Darkreading.com
Appointments of New Chief Information Security Officers in the United States in January 2023 - Corporate security is undergoing a lot of changes as businesses attempt to keep up with the ever-changing threat landscape. To ensure the safety of both employees and customers, many companies are now hiring a Chief Security Officer or Chief ...
1 year ago Csoonline.com
Why CISOs and CIOs Should Work Together More Closely - Although there are overlaps in the goals and responsibilities of the CIO and the CISO, there are also challenges that get in the way of a more cohesive relationship, including reporting lines, organizational structures, budgets, and risk appetites. A ...
10 months ago Feedpress.me
Definition from TechTarget - The CISO is a senior-level executive responsible for developing and implementing an information security program, which includes procedures and policies designed to protect enterprise communications, systems and assets from both internal and external ...
10 months ago Techtarget.com
Embracing the Virtual: The Rise and Role of vCISOs in Modern Businesses - In recent years, the task of safeguarding businesses against cyber threats and ensuring compliance with security standards has become increasingly challenging. Unlike larger corporations that typically employ Chief Information Security Officers for ...
10 months ago Cysecurity.news
The New CISO: Rethinking the Role - Dating back to the 1990s, the role of CISO was more technical and IT-focused. CISOs face more risks than can be resolved, are expected to balance security with operational capability, and must convince leaders to invest in protection. Today, CISOs ...
7 months ago Darkreading.com
What CISOs Should Exclude From SEC Cybersecurity Filings - As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's new rules, CISOs face the challenge of deciding which details to report and, far more ...
11 months ago Darkreading.com
Top 3 Priorities for CISOs in 2024 - As the new year begins, CISOs gather with their security teams and corporate management to scope out top priorities for 2024 and how to address these issues. This year - with a multitude of new privacy laws, Securities and Exchange Commission ...
9 months ago Darkreading.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com
The Shift in Power from CIO to CISO: The Rise in Cyber Attacks Enables Greater Resources and Budget Allocation - Often when we talk about the impact of these cyber threats, we inevitably focus on the wallet as well as how they can tarnish a business's reputation. As a result, we are witnessing the beginnings of a shift in power from the CIO to the Chief ...
10 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)