When a federal jury found former Uber CSO Joe Sullivan guilty of charges related to a data breach cover-up, cybersecurity leaders across the world sat up and took notice.
"Many CISOs thought, 'Should I leave this occupation?'" said Gadi Evron, CISO in residence at venture capital firm Team8, during a panel discussion at RSA Conference 2023. "'Why is the CISO the only one standing trial?"
Stewart Baker, an attorney specializing in cybersecurity and data protection at Steptoe & Johnson, described the Sullivan conviction as the result of a perfect storm of cybersecurity failures, corporate politics and poor decision-making. "Joe is a friend, and I respect him a lot, but he screwed up," he said.
In 2016, Sullivan agreed to pay two hackers $100,000 if they promised to delete data they stole from Uber. Rather than report the breach to federal authorities, Sullivan -- at the time, also the company's deputy general counsel -- positioned the payoff as a reward from the company's bug bounty program. The incident occurred as the Federal Trade Commission was investigating a 2014 breach and shortly before CEO Travis Kalanick resigned amid allegations of toxic and unethical behavior.
"It was a fraught time, and another breach would have been a disaster," Baker said. "So, the question was: 'Can we keep this a secret?'"
The jury decided -- and many security professionals agreed -- Sullivan acted illegally and in bad faith. Evron said some lawyers with whom he has spoken said the case's major takeaway for CISOs is simple: Don't break the law.
But, historically, many CISOs have also become corporate scapegoats who did nothing wrong, according to panelist and Unilever CISO Kirsten Davies. "I think some of us still have scars on our backs from seeing colleagues lose their jobs over cyber incidents that were not actually their fault," she said. "It was somebody else not doing what they were supposed to do, but the company had to offer up a proverbial head on a platter."
Even by-the-book security executives can stumble as they navigate the ever-evolving data privacy and compliance landscape, she added. "When you're in the middle of an incident, the fog of war is difficult," Davies said. "And now we're also balancing on this constantly shifting sand of regulatory requirements."
CISO liability advice
To mitigate CISO liability, panelists suggested the following.
1. Define your lane
Baker described Sullivan's decision to frame the extortion payment as a bug bounty reward as "very aggressive lawyering," underscoring the fundamental problem of Sullivan's dual role as Uber's deputy general counsel as well as CSO.
"The CISO's job is not to lawyer breaches -- it's to remediate them and respond to them," Baker said. "As long as you're listening to your lawyers and making them give you advice on these things, it's very, very unlikely you'll find yourself in a Sullivan-type situation."
But identifying and staying in the CISO's lane is easier said than done, Davies countered. "My lane as a CISO is like a 10-lane highway going in 15 different directions at any given time," she said, adding that the scope of the position varies significantly depending on the type of CISO in question. "If we all had a similar, consolidated, single way of looking at the CISO role, this might be an easier conversation, but it's very complex."
For years, top CISOs have preached the importance of understanding and supporting the business. "That's music to my ears," said panelist Alyssa Miller, CISO at legal and business services provider Epiq Global. But, she added, that means educating business executives on a given situation's risks, offering context and making recommendations -- no more.
"Let's talk about the edge of your lane: You're not there to make business decisions," Miller said. "Make them make those decisions because, at the end of the day, you don't have legal cover. And, if you take those decisions upon yourself, you're now in a very different world."
Alyssa MillerCISO, Epiq Global
2. Treat secrets as red flags
In the interest of minimizing CISO liability issues, Miller also suggested security leaders stay alert for one major red flag. "When you find yourself asking the question, 'How can we keep this a secret?' that should be your indication that maybe that's not the road you want to go down," she said.
In the Sullivan case -- as in so many others -- the bigger problem was not the incident, but the cover-up. And the premium that regulators put on open communication and transparency makes any efforts to mislead law enforcement, investors or the public inherently risky.
3. Hold crisis communication tabletop drills
While most security teams practice incident response tabletop exercises, Miller suggested also holding drills for executive teams that focus specifically on crisis communications and ethical dilemmas.
"It's a great way to accomplish two things. First, it can help you clearly establish your lane as the CISO," she said. "And, second, it sets executives' expectations -- so now you know they understand the types of scary decisions the team is going to have to make."
Executives who have practiced thinking on their feet during crisis drills will likely make better choices under pressure when the time comes. In late 2022, Miller's own team at Epiq conducted such an exercise, which the company's compliance team designed.
After running crisis communications drills, Baker added, CISOs should revise their incident response plans based on lessons learned.
4. Get it in writing
The vast majority of CISOs in the U.S. don't have employment contracts outlining the scope of their responsibilities and the legal protections their organizations afford them. But, according to Baker, they should.
"If you don't have a contract, then you need an understanding in writing about how you're protected," he said. That might mean, for example, coverage under directors and officers or indemnity insurance policies. "To my mind, that is crucial," he added.
And, again, ensuring everyone understands the limits of the CISO's responsibilities goes a long way. Baker said in his experience -- during both tabletop exercises and real incidents -- much decision-making should and does roll toward the lawyers' end of the table. "Make it clear you're going to consult the lawyers and they are going to make the final decision," he said. For example, the legal team should officially declare when an incident rises to the level of a breach, which starts the clock on disclosure requirement windows.
Employers would be wise to offer their CISOs legal assurances in writing, Baker added, as they shouldn't want security leaders to have to choose between protecting themselves and protecting their organizations. "As a CISO, I should be acting in the company's interest, and I should know that the company has my back," he said, adding that a written agreement can come from the CEO or the HR department, as long as it is binding to the corporation.
That said, CISOs who can't secure formal employment contracts have a back-up option: articulating in their incident response plans who bears responsibility for making which decisions. "Write down exactly what the procedures will be," Baker said.
5. Find a personal lawyer
"If you're a CISO or you want to be a CISO, my number one recommendation is to find a lawyer you can trust to help you negotiate your next job," Davies said. This person, she added, ideally specializes in the ins and outs of contract law and has previous experience working on the corporate side of the fence.
The best time to negotiate a contract is before accepting a job. But recent high-profile instances of CISO liability, such as the Uber case, can offer sitting security leaders an opportunity to revisit the terms of their employment. Davies said she has recently seen many of her peers broach the topic with their employers, including one CISO who had a particularly candid conversation with her company's CFO.
"She said, 'In the event of an incident, I know you're going to need a head on a platter to show to the shareholders,'" Davies said. "'I'm going to let it be me, and this is what it's going to cost you.'" The unnamed security executive ultimately negotiated a CISO golden parachute package that included a super-vesting of equity, a year in severance and a year's worth of benefits.
"You need a little bit of a safety net to say, 'I am all in with this company. I am here to protect the company, and you need to protect me as an executive,'" Davies said. "I can guarantee you CFOs, CEOs, chief legal officers -- they have those protections in their contracts."
All three panelists reminded CISOs that corporate lawyers are not personal lawyers -- they put the interests of their companies first. Similarly, Baker said CISOs should cooperate with federal law enforcement, while also protecting themselves legally.
"The FBI is not your friend," he said. "They are working for the Justice Department -- the same people who indicted a CISO. Just remember that."
6. Use precise terminology
Davies urged CISOs to accurately differentiate among security events, incidents and breaches in the language they use. "If it's an actual breach, then there are regulatory requirements in certain jurisdictions," she said. "Stop using the term 'breach' unless your law department has said, 'This meets the legal threshold and definition.'"
She also warned against making "puffery statements" on corporate websites, in marketing materials and in public appearances that -- in the event of a breach -- shareholders could potentially characterize as misrepresentations.
"Be careful about statements such as, 'We have world-class security,' or 'We have the best security I've ever seen,'" Davies said. "Any of us can fall prey to an incident at any time. A better statement to make is, 'We aim for great security.'"
7. Don't panic
Although CISOs should consider liability issues as a matter of best practice, Miller said she views the Sullivan conviction as an outlier that does not fundamentally change the landscape.
"I don't think we have to panic as CISOs," she said. "After this case, everyone was like, 'Oh my God! They're holding him liable for the fact they had a breach.' But no, they're not -- that's not what happened."
Nor, she added, does the case call into question the future of bug bounty programs as some have suggested. Rather, Sullivan and his team stretched the limits of what a bug bounty is meant to be -- arguably beyond all recognition. And the former CISO's liability hinged on the cover-up, not the breach itself.
Bearing all of that in mind, CISOs who remain true to their established policies, playbooks and processes needn't worry unduly, Miller said.
"This was a perfect storm, and it's not likely to happen again," Baker agreed.