The role of Chief Information Security Officer (CISO) became more complex when recent news broke that Uber’s CISO was convicted for covering up the breach from the Federal Trade Commission. This is the first major criminal case against a corporate executive that has personal repercussions from a breach by an outsider.
This verdict raises a lot of questions for CISOs, so I recently spoke with industry experts to discuss the impact of this court ruling and draw insights on how CISOs and security leaders should move forward.
1. Embrace transparency: Shift the mindset from having to report incidents to regulating bodies to one of open communication to solve issues.
I think we often get a little too nervous about having an open dialogue with regulators and letting them know that there’s an issue. As you gain more information, you can keep them updated. You don't have to rush to have all the answers.Stephen Ward, The Home Depot's former CISO
As CISOs, we must be well positioned within the organization to ensure that we're elevating and escalating issues that might have an impact on the company. Part of our job is to share bad news, even though that bad news might come at a cost. It’s our responsibility, not only to our company, but to our customers to ensure that we're being transparent and elevating issues to the right individuals within the organization. That responsibility hasn’t changed. It’s just more in the spotlight now.Tomás Maldonado, NFL’s CISO
2. Communicate regularly with your executive team: CISOs need to maintain an open dialogue with their executive teams and general counsel to discuss high-stakes scenarios rather than making decisions in isolation.
The role of the CISO is not to make the decision about the introduction of risk to the company. It’s our job to present it to executives and decision makers, and explain why we think it should be accepted or not accepted. The CISO should not declare a breach, incident, or event. It should be the executive team, board of directors, or general counsel, in my opinion.Olivia Rose, Amplitude and Mailchimp’s former CISO
When I was General Council at Airbnb, I had a monthly meeting on the calendar with the CISO. Whether or not we had any pressing company issues to address, we met every month, we fostered a relationship. And we made sure that there were processes in place should a problem arise. We talked about what we would do in certain scenarios. I also made sure we had outside counsel involved. Public Relations should be in the room. You need different stakeholders for this sort of decision.Rob Chesnut, Airbnb’s former general counsel and Chief Ethics Officer
3. Be prepared: CISOs should partner with their executive leadership team and Board of Directors to develop well-documented processes to follow with clear decision makers. The typical generic Incident Response Plan in use nowadays should be expanded to prepare for a variety of situations.
You want to run your ‘what-if’ scenarios and put policies in place with executives and get board approval to meet those challenges, starting with whether your company pays a ransom for ransomware attacks. Run all the scenarios against each decision. Make sure partners such as legal weigh in. You can rely on that muscle memory knowing you’ve covered this before. Anytime you're dealing with an incident, and you're making on-the-fly decisions that you haven’t practiced, or received approvals for, there's room for error.Stephen Ward, The Home Depot’s former CISO
Within your incident response process, there should be decision trees reflecting each scenario that you work through and who you’re going to communicate with, and you should test those incident response processes on a routine basis.Tomás Maldonado, NFL’s CISO
4. Cover yourself legally: The verdict was a wake-up call for security leaders with the harsh realization that the company is always going to protect itself first. Security leaders need to get their own legal representation to avoid becoming the sacrificial lamb in the decision-making process of security breaches.
There are questions about whether the CISO should now request to be on the D&O insurance. I know of two CISOs who recently took positions and required that they be added, however, D&O insurance does not cover criminal liability. I know one CISO who just took a role, who successfully negotiated the company paying for his own personal attorney. So, while it would be great to be added to the D&O insurance, I think it's more important to have access to your own personal attorney who will represent you, as well as ensuring that those lines of communication are open, there is a very solid corporate governance structure in place, and that there is a separation of church and state. You separate security from having legal on your team reporting to you, which was an element of the Uber trial.Olivia Rose, Amplitude and Mailchimp’s former CISO
Consider bringing in outside counsel. It’s another layer, another opinion, a sounding board to balance against your legal team. Maybe you're too close, maybe there's an unconscious bias involved. Get outside counsel and get someone else's opinion so it's not sitting solely on your shoulders.Stephen Ward, The Home Depot’s former CISO
5. Take the temperature: Ensure there is a culture of integrity in your organization and that you are surrounded by a diversity of opinions to help you decide on the best action forward. If this is missing, be sure to call it out to your leadership and the Board, emphasizing its importance.
If you're leaning in a direction that might not be clear, getting different perspectives from people with different backgrounds, experiences, and areas of expertise is really valuable. I think one of the lessons from the Uber case was that there weren't enough voices in the room. There was not good communication from different stakeholders.Rob Chesnut, Airbnb’s former general counsel and Chief Ethics Officer
I've always focused in my job search and interviews on the transparency and the ethics of the company. They're very connected. But now I'm looking more at how open is that communication to the board? How open is that communication channel with executives? What is the tolerance for ethics? That's difficult to judge during the interview cycle, but you can certainly look for red flags. It's important to me to be somewhere where I can stay for a very long time. And that needs to be somewhere within exceptional culture, and ethics.Olivia Rose, Amplitude and Mailchimp’s former CISO
We hope this discussion helps provide some useful takeaways, including how the role of CISO will evolve, ways you can prepare for future breaches, and the importance of better collaboration with your leadership team.
Watch the full webinar discussion with our panel here.