When the news of former Uber CISO Joe Sullivan’s conviction broke out, it set off a flurry of alarmist commentary on the future of InfoSec.
This was the first time a top executive had been criminally convicted in connection with a data breach. Many viewed the case as ushering in the new norm of jail sentences for security executives.
Headlines like “Sullivan Conviction Sends Chilling Message to CISOs” were common.
But after a few weeks of sober reflection, it became increasingly clear that the Uber hack and the CISO’s behavior in this case were far from typical.
Sullivan knowingly hid a major cyber incident for an entire year. Since the company was already under investigation by the FTC in relation to an earlier breach, failing to disclose the hack to federal regulators constituted a felony.
In short, Sullivan was not convicted of a cyber incident, but of knowingly obstructing justice.
While this scenario is not relevant to most cybersecurity professionals, I still think there are some very important lessons to be drawn from the Sullivan case.
Pressures of the Job
Being in the corporate data space for a long time, and having dealt with not a few cybersecurity leaders myself, I can tell you: Being a CISO is a tough job.
As the person in charge of protecting the network who is also a C-level company executive, a CISO experiences competing forces that create perpetual pressure. On the one hand, he must be fast and drive innovation; on the other, he must minimize risk and ensure compliance.
If those interests weren’t already difficult to balance, CISOs face a more challenging threat and regulatory environment than they did six years ago when Sullivan’s offense took place, including a spike in ransomware attacks of the very type Sullivan covered up. According to the latest numbers, approximately 82% of large companies were targeted with ransomware last year, compared to only 52% the year before.
Besides the increase in real-world threats, there is also an increase in demand for IT regulation. The last several years have seen large-scale regulation with the likes of GDPR, CCPA, and more recently, the tightening of New York’s DFS rules for cyber security. All of this has made the CISO’s job more complex than anyone could have imagined just a few years ago. Of course, these demands will only continue to grow. In response to emerging threats and new technologies, policymakers are hard at work crafting more laws to regulate data privacy—the American Data Privacy Protection Act (ADPPA) and the EU’s AI Act are two notable examples.
With all of the competing responsibilities, the question becomes, “How do these heavy responsibilities affect the way people in charge make decisions and communicate with managers?”
Between a Rock and a Hard Place
As head of Vendict, I’ve had the opportunity to talk with CISOs across many industries.
They tell me about their security challenges, the tools they need to address them, and the difficulties they have communicating with their fellow executives.
What I find most intriguing (and alarming) is that basically all CISOs, at the end of the day, are facing the same intractable problem: the demands of security and compliance are often incompatible with expectations from their CEOs and boards.
The sheer volume and complexity of the work they need to get through in order to meet respectable security standards and maintain compliance are so vast that it ends up impeding the operations of the business.
In one talk with a client in the medical AI field, their sales lead told us that before adopting our solution, compliance requirements would routinely hold up a deal closing for three months. Three months! The amount of pressure the security teams were under to streamline the compliance process was immense.
Even when a CISO does manage to speed things up, it almost always comes at a cost.
In one conversation I had with a CISO—whose company eventually became a client—he related how, at the time, he was using a competitor of ours to automate security questionnaires. The problem was that, while this platform was handling a lot of the menial work of the questionnaire, the majority of the answers being generated were incomplete or just plain wrong. They simply did not have the time or resources to verify all of the details. So whatever the program spit out, that’s what they went with.
It All Comes Down to Culture
Faced with this conundrum, how are CISOs expected to react?
All the incentives are aligned against them. “Get the security side done quickly so we can continue making money.” From the board’s perspective, that’s a totally legitimate demand. If the CISO raises too many concerns about the cyber risks involved, he’s shut down—or, even worse, shown the door. From there, it’s a short descent into security leads who cut corners and even lie to their bosses and stakeholders.
True, Sullivan’s story is extreme. But it is reflective of a bigger problem in the world of corporate infosec.
From where I stand, the solution to this problem is only going to be solved by a change in perspective on how a CISO contributes to company value. In many ways, this shift is already taking place. As many CISOs have noted, more awareness of security threats and the increased reliance on information technology in the wake of the COVID-19 pandemic have made companies recognize the value of the CISO and the role they play in enterprise success.
But what is really needed is to equip CISOs with the solutions and platforms they need to address today’s compliance challenges in a way that truly aligns with business needs. Not only to limit the cost of compliance but also to make compliance a value-add.
Armed with these tools, CISOs will be able to wield maximum influence in the firms they serve. They will not only prevent the next hack but also ensure their organizations thrive.