The CISO entrusted with the protection of Uber’s data was found guilty of failing to effectively protect that data. CISOs now face actual personal accountability.
Former CSO, Joe Sullivan, and other top officials covered-up a 2016 Uber data breach, which led to a guilty verdict on October 5, 2022, and a subsequent indictment by the Department of Justice. This sentence is causing increasing anxiety within the cybersecurity field due to the increase of personal risk for cybersecurity practitioners, cybersecurity leaders, CISO-as-a-Service, and Virtual CISO organisations. I recently attended Trend Micro’s CLOUDSEC 2022 event held in Sydney where I sat down with David Chow, Global Chief Technology Strategy Officer from Trend Micro to hear his thoughts on the matter.
“CIO’s and CISO’s in the past may lose their job, but they wouldn’t be held personally liable, like they’re now.” commented Chow. “Why does the board get to escape from the situation? That’s a puzzle.”
How far down the executive chain of command should company liability insurance coverage go? What recommendations are being made to the executives regarding their personal culpability by the human resources and legal departments? Is it necessary for them to have personal liability insurance? These uncertainties are leading to uncertainty and even operational paralysis, and need to be addressed. In court, this issue was supported. The Uber leadership team noted that Sullivan’s stories had influenced their choices. Additionally, Uber has separated itself from his deeds. Uber’s legal department. On the other hand, the legal counsel for Uber was committed to defending Uber, not Sullivan. The Washington Post reports that a range of security executives are concerned about how their personal culpability may impact the willingness of executive participation in business decisions given new risks. Moreover, senior security roles have historically been notoriously hard to fill given the scarcity of truly capable executives. And now with this probable escalated risk-profile for such positions, significant numbers of professionals that may have naturally gravitated that way may look at other avenues. This leaves many organisations vulnerable as the many that have fought hard to have a security voice at the table, fall silent. While the ultimate responsibility naturally falls on the CISOs who accept the role, the effects are felt downstream too. Infosec and other security staff may also fall under the microscope, placing additional scrutiny on already tightly-stretched teams.
Will people want to take on the role of CISO? Or even take-up security at all due to the liability hanging over their head?
“The pay will increase for CISO’s. Some will want to take the risk, and others won’t.” said Chow. He went on to air his suspicions that,”…a new market will open now for insurance companies as they offer insurance to the C-Level and the board.”
As CISOs now have a bigger ‘portfolio of responsibility, personal liability has become a reality. Demand for companies that offer CISO-as-a-Service, shared-time CISO, or virtual CISO may well increase as organisations look to shift much of this hitherto uncalculated risk to a third party in order to lower executive liability. However, this ostensible boon does not necessarily translate to unfettered good news for these providers. External Strategy Consultants or external accounting & auditing firms, this is already standard practice. And external cybersecurity service providers might raise their prices in response to account for the responsibility and risk placed onto the shoulders of their consultants. As costs increase, we may see the familiar ebb and flow of outsourced work return as the risks and enigma of these new CISO responsibilities crystallises out with time.
What do you think the future of personal liability in cyber will look like?