Jack Jones on the Wrong Lessons from the Conviction of Former Uber CSO Joe Sullivan
UPDATE: The judge sentenced Sullivan to three years probation in part because the case was the first of its kind and warned CISOs not to expect such leniency going forward.
The Wall Street Journal recently published an article, “Whistleblower Reports of Lax Cybersecurity Expected to Rise,” reacting to the conviction of Joe Sullivan for his handling of two data breaches as CSO at Uber, one in 2014, one in 2016.
A federal jury found Sullivan guilty of concealing a felony by buying the silence of the hackers who breached Uber in 2016 and hiding the payment in his bug-bounty budget. The jury also judged him guilty of obstructing an investigation by the Federal Trade Commission of the 2014 breach at Uber by concealing the 2016 breach from investigators. Sullivan will soon be sentenced, facing a maximum eight years in prison.
The Journal wrote:
“Security chiefs are now more aware of the personal risks they face over cybersecurity deficiencies after high-profile allegations of weak cybersecurity” at companies including Twitter and Uber and, as a result, whistleblowing is “becoming more common in the cyber field.”
“CISOs would do themselves a lot of good to really be thinking about documenting all these decisions that are made, as you’re taking things to the board and funding is being denied, or investments are being delayed,” The Journal quotes Todd Fitzgerald, vice president of cybersecurity strategy at the Cybersecurity Collaborative, an industry group for security chiefs.
The Wrong Lesson
I’d say that building a case to incriminate your stakeholders is exactly the wrong lesson for a CISO to take away from the unfortunate story of Joe Sullivan.
If CISOs are in fear of their personal liability and believe they have a bludgeon of “I’m going to document all the times I’m told no, and hold that as evidence against my executives,” then nobody wins, certainly not the organization that now must deal with a potentially hostile CISO. It also doesn’t address the root cause underlying some of the “no” answers that CISOs receive.
This whistleblower narrative also may feed an already problematic but prevalent attitude. Many of the security professionals I’ve encountered have the perception that they know what’s best for the business, and when management doesn’t support all their requests, they characterize management as negligent. They don’t stop to think that management needs to balance where to apply the organization’s limited time and money.
Corporate management is responsible for three main aspects of the business: revenue (or mission), cost management, and risk management (including for cyber as for all other forms of enterprise risk). Revenue and cost management are expressed in dollars and cents, as are the more mature risk dimensions. If we are not willing or able to express a cyber risk problem and our security needs in business - i.e. financial - terms, that management can properly evaluate, then we are not enabling it to make well-informed decisions.
Take ResponsibIlity, CISOs
It is the responsibility of security professionals to get our risk measurement and reporting act together before we can hold executive management accountable for not supporting what we do. Too often today, the support we get is based on either faith or fear and that’s not a recipe for good decision making.
The first responsibility in this decision-making process is that CISOs need to know and be able to communicate risk reduction value in the financial terms that the business understands. Until we can do that, we should think twice before accusing executives of negligence when we force them to compare apples to oranges among spending initiatives for cyber versus the rest of the business.