CISOs and potential CISOs worried about criminal risk won’t go to jail if they follow four simple steps.
There seem to be two reactions to the verdict in the Sullivan case. One reaction, often from CISOs already stressed by being outside the room where it happens, is to decide that being a CISO isn’t worth the risk – it already wasn’t worth the stress. If the title is really Chief Scapegoat Officer, it’s one thing to lose your job, but your freedom? That’s across the line. The second reaction seems to be nonchalant. What’s the big deal, after all? It’s just one person, and there was some shady stuff going on over at Uber.
Going to jail as a CISO is a new and novel risk, and humans tend to react strongly to surprising risks, especially when they hit close to home. Joe Sullivan is the first CISO to be in this position, and many in the security industry knew him, so it’s reasonable to take this a little personally. But professionally? Most CISOs aren’t going to find themselves in Joe Sullivan’s shoes.
If you haven’t been maniacally following the trial (I haven’t either), the central issues seem straightforward: Uber was under investigation for privacy issues. Uber had a data breach. The attackers extorted Uber. Uber paid them through their bug bounty program (albeit by modifying the bug bounty program to meet the hackers’ demands). Uber did not disclose this breach to the federal investigators. Those facts don’t seem to be in contention. What did seem to be in contention was who knew all the details. Was it just Joe Sullivan? Was it Uber’s other lawyers? (Sullivan was also wearing the hat of deputy general counsel.) Was it the other executives?
4 steps for CISOs to stay out of jail
Uber’s early startup culture was heavily driven by its founder, Travis Kalanick, and calling that culture “techbro” isn’t nearly evocative enough. While it can be tempting to want to be the hero and turn around an organization, recognize that you’re at heightened risk – both of finding convenient shortcuts and in inheriting a program that probably has a lot of weaknesses. Moving into a company that was just starting to care about user privacy, and which the government was already paying close attention to, was a risky move.
Your first step for staying out of jail? Stay out of that type of situation, or, if you find yourself in it, hold very tightly to your values.
There is a difference between a security researcher and an attacker. A security researcher might compromise your systems and get access to your data repository, but they stop before they exfiltrate your data. They might redact a screenshot, or take a tiny sample of something, and then they will carefully track where everything went. They’ll contact you under a name that ties back to them. The researcher hopes you’ll pay them a bounty, especially if you have a bug bounty program, but they risk you deciding not to pay. Their only recourse if you don’t pay is to disclose the vulnerability publicly to embarrass you.
An attacker takes your data. They hold it hostage and demand that you pay them, or they’ll do something nefarious – sell the data to a broker or just publish all your data. They started by doing you harm, and the reputational harm is only a piece of it.
Your second step for staying out of jail? Don’t use the tools for engaging researchers (who did not breach your data) with the tools for engaging attackers (who did).
Whether you suffer a data breach or “just” have a vulnerability found by a third party, you have a duty to publicly disclose it. Sometimes, that duty comes from legal or regulatory regimes, and you might have a time limit to disclose. Other times, that duty comes from harm minimization. If an adversarial third party knows you have a weakness, you negate a lot of risk by fixing it and telling the world. The adversary loses any hold on you, because now they can’t disclose anything interesting.
Your third step for staying out of jail? Don’t hide data breaches.
Now, if your company is under investigation by the government, for anything, be really careful about what you hide from the investigators. Being non-responsive, especially in an area they are actively scrutinizing, is a serious problem.
Your fourth step for staying out of jail? Don’t actively mislead government agents who are investigating your company.
If your company violates the above rules, make sure you aren’t the scapegoat. If there are communications between you and other executives, especially if they pressure you to break these (or other) rules, keep receipts. Retain your own lawyer. (Remember, your company’s lawyers have no obligation to you, just to the company.) Make sure they get a copy of the receipts, because when you leave the company, you’ll lose access to your inbox. If your inbox is the only place you had evidence that it was a company decision, and not you acting as a rogue executive, you won’t be able to keep that evidence. This step might not keep you out of jail, so it’s hard to call it a fifth step, unless the act of keeping evidence makes it harder for your conscience to accept being complicit in breaking the above rules.
Should I take that next CISO gig?
This verdict probably shouldn’t be the deciding factor in whether you’re going to be a CISO. For most people who are aiming to be CISOs, this isn’t a significant enough risk to alter their decisions. For a small handful of executives – maybe the “CISO-stars” who do step into high-risk, high-profile situations – this may dissuade them from a dangerous situation. For most CISO candidates, though, this verdict shouldn’t change your career plans.
Try not to make the same mistakes that Uber did.
This post originally appeared on CSO Online.