Legislators and policymakers are holding corporate executives accountable for data breaches and privacy violations, but there are steps CISOs and similar IT leaders can proactively take so that they do not unfairly become scapegoats.
In May 2023, Joe Sullivan, the former chief security officer at Uber, was sentenced to three years of probation for what the U.S. described as the cover-up of a 2016 data breach that impacted roughly 57 million Uber users and drivers. One year later, at the 2024 RSA Conference in San Francisco, Sullivan and several fellow panelists offered tips on how CISOs can protect themselves from being singularly targeted by the SEC, FTC or federal prosecutors.
Among the panel’s top recommendations was to clearly document the CISO’s specific duties and where they fall within the overall hierarchy of corporate compliance, and then implement standards and protocols around those definitions.
As part of this exercise, it should be made clear that when it comes to security solution investments or incident response decisions, the buck doesn’t stop with the CISO. Typically, the CEO and other key stakeholders should be signing off. In fact, the judge in Sullivan’s case even asked prosecutors why the CEO wasn’t facing similar charges.
“We’ve got to get away from the world [where] all the decisions were made by the security team,” said Sullivan during his “CISOs Under Indictment” panel session. “They need to be made at the CEO and board level, and they need to sign off on everything. And then accountability is going to move there.”
David Cross, SVP and CISO of Oracle SaaS Cloud, agreed that companies must develop and live by these defined roles and standards. That way, if a cyber incident does require a response, “it’s crystal clear who's making the decision,” said Cross.
Sullivan also advised CISO-types to ensure that any public statements that their companies make about data privacy and security accurately reflect reality – especially because the SEC is empowered to punish material misstatements, while the FTC is charged with cracking down on deceptive trade practices.
“How many of you as a security leader actually get up every morning and think about: What are all the things my company is saying about our security right now?” asked Sullivan. “Because those are the things that the company is being measured on. What did you say in your privacy policy? What did you say in your 8-K? What did you say in your 10-K?”
“Security leaders need to actually pay attention to the content that their company is putting out and say… ‘If you’re going to say something about security, can you at least check with the security team first to make sure it’s accurate?’” Sullivan continued.
The panel also advised CISOs to ensure they are covered by Directors and Officers (D&O) liability insurance, to cover the cost of litigation in the event of a cyber incident. In lieu of an insurance policy, they can alternatively gain official assurance that the employer will pay for their independent legal representation on an as-needed basis.
Sullivan says he knows of fellow CISO colleagues who have negotiated with their companies for such protections. To make the request sound less suspicious or self-serving, Sullivan suggested that CISOs recommend this strategy for not just themselves, but all relevant stakeholders within the company. And they should ask for this before an event happens that might require legal assistance.
The panelists agreed that to avoid the legal hotseat, CISOs may have to do a better job advocating for the above recommendations. After all, the CISO role “is getting a lot more attention now than it ever did before. And expectations are much higher,” said Sullivan. “And the challenge for a lot of people in the role is that they got into the role… before the expectations and before the heat. And so some CISOs feel like the frog that’s in the water that’s starting to boil – and they don’t like that feeling.”
Rounding out the panel were Charles Blauner, president of Cyber Aegis LLC and moderator Gadi Evron, founder of Knostic.