By Guy Golan, CEO and co-founder of the Performanta Group
It won't happen to me! Security professionals know this reaction—usually spoken by executives, business chiefs and customers who believe they are not a likely target for cybercrime. If only cybercrime was that discriminating. But while the security world can shake heads at such misguided beliefs, we may be doing the same thing.
Ask yourself: when a court found a former Uber security executive guilty of concealing a breach, did you pause, or did you say, 'It won't happen to me.'?
Yet it can, and every CISO, CSO and security manager needs to pay close attention. This court case is a watershed moment in the industry. Many things will change as a result. It's crucial that anyone in a security leadership position note where they stand and how they can improve their position.
Specifically, I'd expect CISOs and other senior cybersecurity leaders to appreciate they are more exposed than they think. They should start talking to their employers about closer business alignment, career development that improves their business understanding, clearer legal advice and protection, and insurance to cover unexpected problems that will arise from complex cybercrime risks.
The Frontline of Cyber Risks
I won't comment on the Uber case's specifics, which involve an executive going to some lengths to conceal data theft. It's unlikely most security leaders will land in the same pickle. But we can ponder a few things.
Concealing a breach can mean many different things. Do executives and boards understand when they might tacitly approve concealment activities? Do they care to understand the nuances? Or do they just nod and tell the CISO to take care of things?
CISO roles carry enormous risks on behalf of their employers. Their responsibilities touch most of an organisation—few executive roles work with so many different departments, stakeholders and outcomes. Yet CISOs are often still treated as glorified managers, not at the level of senior executives primed to best serve their companies.
In most organisations, a CISO is a secondary role to the CIO, CFO or COO. This case shows they require influence and protection comparable to those positions. It also suggests a company could throw their CISO under the bus to protect the organisation. Matters won't be that dramatic for most security executives. But it's now a clear possibility—especially if there are leadership or owner changes. CISOs and their peers need to start asking some pertinent questions.
Protection Comparable To Other Executives
How many organisations have clear business skill development paths for their CISOs? Do most CISOs clearly understand regulations and legislation and how these affect their role? Are you, the CISO, protected and equipped at the levels of risk and responsibility that come with your position?
Likely not, as made evident by the Uber case. We assumed that the buck stopped with CEOs and boards, generally the punitive targets of cybersecurity legislation. But the CISO's assumed protections are less clearly defined than any of us had assumed.
CFOs also have to follow laws that regulate their conduct and liabilities. The Sarbanes–Oxley Act is one example, created at the turn of this century after a spate of egregious corporate accounting scandals. Yet the CFO role has been around for a long time. It benefits from a history of laws and defined gravitas within organisations. It can take its protection for granted.
Not so for the CISO. Cybersecurity is scarcely a few decades old, and CISO titles only emerged in the mid-1980s. There is little clarity around the role's legal responsibilities. What happened to the Uber CISO can't happen to you, right? That fact is that you don't know that.
CISOs Must Safeguard Their Positions
CISOs need to protect themselves. Though legislation will evolve to define responsibilities more clearly, CISOs must be proactive and start setting the tone for their roles. They must require stronger growth and better packages to compensate for facing big risks. They need stronger insurance to protect them and their families. And they should expect 100 percent alignment to business objectives. Otherwise, how can they be accountable for things that they don't know?
CISOs are digital business gatekeepers with a broad purpose comparable to COOs and CFOs. They should be equal to the top layers of the c-suite in terms of power, compensation and protection. Their organisations should help develop CISOs' business understanding and abilities. All this starts with defining, understanding and protecting the responsibilities and liabilities CISOs shoulders on behalf of their organisations.
These are big asks, and many will accuse CISOs of punching above their weight. But there is a former Uber CISO who might beg to disagree. When the chips came down, he was in the firing line—not the CEO, COO or even Uber's legal team. Whether that is justified or not is a matter for the courts. Yet don't assume your CISO role has that required understanding and protection from your company.
If you think your employers will have your back, you are making a risky assumption. Even if they think they do, these matters are still too vague to draw such conclusions. The Uber judgement is a watershed moment in the cybersecurity industry. It will change everything. Rather be the change than have change forced on you.