SAN FRANCISCO – Over the past few years, high-profile legal cases and lawsuits have sent shockwaves through the CISO community and raised questions about the liabilities that come with handling corporate security incidents.
In October, former Uber chief security officer Joseph Sullivan was convicted for his role in covering up details of a 2016 data breach from federal authorities. Meanwhile, in 2020, investors filed a lawsuit against several SolarWinds executives - including security executive Tim Brown - following the massive supply-chain attack on the company.
While both of these incidents were very specific in how they played out, they have put a new focus on the risks that CISOs take on during their jobs. Anne Marie Zettlemoyer, chief security officer with CyCognito, said this week at the RSA Conference that before the Sullivan conviction, CISOs were not thinking about employment contract negotiations that included legal representation or Directors and Officers (D&O) insurance, which is a type of liability insurance typically given to executives to protect them from claims that may arise from certain decisions.
“I think that started to really make us assess our own risk profile,” said Marie Zettlemoyer. “We spend every day, every waking hour trying to defend a business and the infrastructure and do the right thing for their risk tolerance, and we forget to think about implications of our own.”
The federal jury in October found Sullivan guilty of obstruction of proceedings of the FTC and misprision of felony - which means seeing and being knowledgeable of a felony conducted by others - in connection with his attempted cover-up of a 2016 hack of Uber. Sullivan attempted to cover up the breach through paying the hackers a $100,000 payment under the guise of a bug bounty reward, according to prosecutors. When the FTC was investigating a separate, previous breach in 2014 of Uber, Sullivan also worked with Uber lawyers overseeing that inquiry, including the General Counsel of Uber, but he never mentioned the security incident to them, according to the Department of Justice.
“We spend every day, every waking hour trying to defend a business and the infrastructure and do the right thing for their risk tolerance, and we forget to think about implications of our own.”
Speaking this week at the RSA Conference, Lisa Monaco, U.S. deputy attorney general, said Sullivan’s acts were “very, very different from a mistake made by a CISO or compliance officer in the heat of a very stressful time.”
“This was intentional activity, misleading the FTC and other intentional conduct found by the jury, [that was] very very different, and nothing to do with, the well-meaning and stressful work that CISOs and compliance officers have to deal with in the heat of the worst days of their lives, if they’re undergoing a breach,” said Monaco.
Still, Kirsten Davies, CISO at Unilever, said the incident brings a “whole new focus of lens” around the responsibilities that CISOs take on, whether it’s dealing with a security breach or with evolving regulatory compliance like the White House’s Cyber Incident Critical Infrastructure Act of 2022, which enacts 72-hour data breach reporting requirements.
“It’s a shifting landscape; I think that’s the biggest thing that jumps out at me,” said Davies. “For those of us that are involved in multi-nationals, perhaps multi-regional categories of conducting cybersecurity, we already know the fog of war is difficult when you’re in the middle of an incident, and you’ve got data coming at you from all places… Now we have a shifting landscape of regulatory requirements with regards to if you’re in India, in GDPR, Europe territory, in the U.S. with the SEC rules coming out. It’s just this constant shifting sand that we’re trying to balance ourselves and our teams on and the incident response on.”
While CISOs are on the frontlines of security incidents, a large part of their job is also dependent on the level of support they get from their company, in the form of budget, resources and overall culture. Marie Zettlemoyer said that she’s starting to see CISOs make conscious choices to move to organizations that take security more seriously.
“Now it’s a different context, and [CISOs] are having conversations on ‘you’re asking me to really foot the bill here on risk, not just professionally, but personally,’ and that opens up a greater discussion, I think, with the board and the rest of the C-Suite that can move things forward,” she said.
"I’ve seen - and I think this is a good thing - good folks walk away from companies or situations that are not properly investing in security because they’re thinking to themselves, ‘am I going to put myself in the situation where I cannot do my job with proper diligence, with the proper resources, and what is that going to mean for me? What risk am I taking on?’”
“It’s just this constant shifting sand that we’re trying to balance ourselves and our teams on and the incident response on.”
Andrea Hoy, virtual CISO at Troutman Pepper, said CISOs can benefit from the support of others, including the C-Suite, board and General Counsel - but a large part of that depends on the culture of the organization.
“Every time you join another organization you can always immediately feel the culture of that organization,” said Hoy. “You'll get into an organization as a CISO where maybe you’ll find something that isn’t exactly appropriate on a server, and depending on what the culture is of the company they may say ‘no, let’s not say anything outside of our organization about that.’ Then it turns into an ethical question, for us as a CISO, what do we do? How do we report this? Do we become a whistleblower, do we leave the organization?”
CISOs need to be proactive and get ahead of the messy tangle of legal challenges that could potentially pop up from security incidents. The first step is making sure that coverage like D&O policies are included in workplace contracts or agreements - and that these contracts exist in the first place. CISOs can also create an environment of shared accountability through playbooks that outline standard security and governance processes for the company, such as incident response playbooks.
The CISO role is currently evolving and questions around liability will continue to shape the responsibilities of security leaders in the workplace. At the end of the day, the primary goal of CISOs is to evangelize the message of a company’s risk, said Davies.
“If we all had a similar, consolidated way of looking at the role of CISO, this might be simpler,” said Davies. “But it’s very complex.”