The gorwing trend of finding CISOs personally liable for security failings is making security professionals more reluctant to take up these positions.
Sullivan was convicted in 2022 of federal charges relating to the cover up of the theft of Uber drivers' and customers' personal information from 2016.
He highlighted the wider impact of recent cases of CISOs being held personally liable for security incidents at their organizations.
In addition to his own case, Sullivan cited recent charges levied by the US Securities and Exchange Commission against SolarWinds and its CISO, Tim Brown, for allegedly deliberately downplaying or failing to disclose cyber-risks while overstating the firm's security practices.
The charge statement argued that Brown is not only responsible for what SolarWinds has done in relation to security, but also has responsibility over what the firm has said about it.
In Sullivan's conviction, which he is currently appealing, the judge made it clear that if he received a similar case in the future, he would send the defendant to prison.
The average person on the street would think it reasonable that a CISO should be responsible for all aspects of an organization's security, Sullivan acknowledged.
The reality is the CISO role is unique among executive positions.
He believes there is currently a lack of regulatory clarity for CISOs, who are often arriving into insecure environments.
He believes there is a fundamental shift coming in terms of the regulation that's on the horizon in cybersecurity, which will force organizations to revise how they approach security, and current security professionals must be to facilitate this change.
To prepare for potential personal legal charges, he said CISOs must prepare themselves emotionally, financially and legally, and even have public relations in place.
Sullivan said his own case made him realize the importance of CISOs having close relationships with other parts of the organization, such as the communications team and senior leadership.
This includes spending time with internal departments to understand how they operate.
During an incident, the CISO will need to spend a lot of time with the board, particularly in light of new SEC reporting rules.
The CISO must ensure they have a security team in place they can trust to deal with the attack without him present.
Security leaders should develop incident response plans based on how fire stations work - which are designed to deal with emergencies and are planning ahead for that, e.g. shifts of teams.
Sullivan concluded by saying that he believes the security industry is about to go in one of two directions, and it is up to professionals to decide which one they want to be in.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 07 Dec 2023 12:30:15 +0000