Reflections on the Uber case's impact on security professionals.
N2K logoOct 12, 2022

The conviction of former Uber security chief Joe Sullivan has affected the community of security professionals around the world.

Reflections on the Uber case's impact on security professionals.

The case of Joe Sullivan, Uber’s former security chief convicted for his attempt to cover up a 2016 hack, has affected the security community, specifically, C-suite security professionals.

Ramifications for CISOs.

The Record by Recorded Future reports that CISOs are fearing “CISO scapegoating” to become more commonplace after the verdict, which Digital Shadows CISO Rick Holland says makes a challenging job even harder. “I expect more ‘whistleblower’ CISOs to come out of the woodwork over time. The pressure as a CISO is overwhelming to spend no money, plug all the holes, and never have an incident to report,” said Bill Bernard, Deepwatch’s vice president of security strategy. “We have to move to an understanding beyond this: there will always be breaches, we have to accept that. It is how we address the breaches when they happen, and how we improve the programs by which CISOs need to be judged.”

We received a comment from Christian Vezina, CISO at OneSpan, regarding the Uber breach and the state of CISOs: “When a major security incident hits, there is a collective effort between executives and the security team to address, mitigate and contain it. The incident response team is activated, technical teams, legal and communications are brought in, and executives are kept abreast of the issue as it unfolds. In regards to the Uber breach, if a decision was made to limit the information to be communicated about the incident, the CISO was not acting alone. When large scale breaches occur, particularly those that involve consumers and their personal data, it's not unusual for the industry and the general public to look for a sole person to blame. However it's not that simple. What's challenging about the conviction handed down to Uber's former CISO is that it paints the CISO as an undesirable position, one that will be blamed for the actions taken by the whole. This explains why less and less people are interested in the job, and why the average CISO tenure is so short. Of course, this incident also speaks to how invaluable the CISO role is in today's threat environment and why their leadership is crucial when a data breach hits. They will ultimately be held accountable for any consequences of such incidents and the actions taken in response."

Impact on CSOs.

Security InfoWatch reports that CSOs are in this position every day. “I don't think this is anything new, I just think it is a high-visibility incident with a different twist,” says Bob Hayes, managing director of the Security Executive Council and former CSO of Georgia Pacific and 3M. “There are risky decisions made every day in companies – not illegal decisions, but things like acquisitions, divestitures, product launches, the list goes on. Companies must take precautions to minimize that risk, and that's what CSOs do for a living. I think this should be a wake-up call for those who don't realize that.” Security best practices and knowing the law are a must for CSOs, and that this event will impact CSOs actions for years to come. “It is a high-impact event. It could have a negative impact, but it could also be a positive, because people are going to say to themselves, ‘I better learn about this, and I better be pretty darn professional about what I do.’ I think it will change behaviors for some people; for others it will reinforce what they have been doing all along,” said Hayes.

Added 10.14.22.

Coro co-founder Dror Liwer reminds CISOs and CSOs of their primary objective: “As more and more regulations emerge in different verticals and geographies – all driven by local and federal governments – we must remember that our number one priority is to protect our customer, partner, and employee data. If a company as well funded and technologically sophisticated as Uber became a victim of data theft, what can a smaller organization with no security team do?”