CyberClub

Recent legal actions against top cybersecurity professionals have sent shockwaves through the information security community in recent years, sparking fear and uncertainty over whether decisions made during the chaos of cybersecurity incidents could end up costing IT security leaders their jobs, financial security, or even freedom.

In the most prominent case, Joe Sullivan, former CISO for Uber, was sentenced in 2023 to serve a three-year term of probation and ordered to pay a fine of $50,000 after a jury found him guilty on charges of obstructing an official proceeding and a failure to report wrongdoing related to a 2014 breach of Uber’s systems.

Then in October 2023, the US Securities and Exchange Commission announced charges against SolarWinds and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities involved in a 2020 hack of the software company by Russian-state threat actors.

Many fear indictments could have a chilling effect

Many in the cybersecurity community fear that the upshot of these indictments will have a chilling effect on how CISOs perform their duties, particularly during critical cybersecurity incidents, making them hesitant to make difficult calls lest they get scapegoated for what are inherently fraught decisions.

“Some CISOs feel like they’re the frog that’s in the water that’s starting to boil, and they don’t like that feeling, and they want to make sure that they’re doing the right things to navigate that heat,” Sullivan said during a panel discussion, “CISOs Under Indictment: Case Studies, Lessons Learned, and What’s Next,” at this year’s RSA Conference.

The panel of current and former CISOs emphasized that in this environment, CISOs need to document their roles and responsibilities, involve the right people in incident response and decision-making processes, and have the courage to stand up for their convictions to minimize the risk that they will face the same fates as Sullivan and Brown. 

CISOs can protect themselves by making responsibilities clear

With cyber incidents becoming more frequent and prominent, the role of CISOs has become a lightning rod. “Historically, the risk calculus was bad stuff happens, I’m going to get fired, I’ll go on to my next job,” said Charles Blauner, partner and CISO in residence at Team8 Ventures, during the panel.

“You’ve never thought the risk calculus is [that] bad stuff happens, my family gets bankrupted, I might go to jail, and I will never work again. That’s a very different risk calculus,” Blauner said.

“The heat is up because the reality is you’ve got these entities in government who are responding to a huge rise in cybercrime in a way that no one can hide. It’s not like in the old days when if an incident happened, most people wouldn’t notice when stuff happens. Today, the whole world notices,” he said.

Blauner’s bottom-line advice to CISOs to protect themselves is to “take a look at every governance document you’ve got and really make sure that it’s crystal clear about roles and responsibilities, especially around who makes risk management decisions.”

The CEO should take ultimate responsibility

Sullivan argued that the ultimate responsibility for how an organization responds to cyber incidents should fall squarely on the shoulders of the CEO. “We’ve got to get away from the world of, ‘Oh, all the decisions were made by the security team.’ They need to be made at the CEO and board level, and they need to sign off on everything, and then accountability is going to move there,” he said.

Sullivan said that the judge in his trial asked where the CEO had been during the Uber incident. “I think that’s where the focus is going to evolve to go in the next couple of years,” he said. “I think in the SolarWinds case, when the SEC starts to dig in deep, they’re going to look, and they’re going to see that this is a security team that was trying its best with limited resources.”

And, it’s the CEO and board that are responsible for providing resources to the security team. “A lot of people foolishly think CISOs make budget decisions,” Blauner said. “I was a CISO for 20 years. I could ask, but I could never decide.”

Involving the right people is a good defense

Another protective measure CISOs should adopt is to ensure in advance that the right people are involved when tough decisions are made. “Who else do you have to work with?” said David Cross, CISO for the Oracle SaaS Cloud Security engineering and operations organization.

“You have to work with the developers and the engineers; you have to work with operations. Are you going to take a patch or not? Is it your decision and only your decision? No, it’s a partnership.”

“You’ve got to build these standards, for lack of a better term, across all your partners and your executives, saying these are the standards we’re going to live by, these are the standards we’re going to make decisions by. And it’s documented, it’s public inside your company. And so, when anything comes up, it’s crystal clear who’s making the decision.”

Blauner noted that following the last banking crisis, banks had to develop risk tolerance statements that required board approval. “That gave you this sort of framework all the way up to the board to talk about what was acceptable and what wasn’t.”

Should you ask for more insurance covering potential legal costs?

A tricky question that CISOs face is whether to press their organizations for insurance that covers independent legal representation if litigation results from a cyber incident. “What you want is insurance that’ll protect you personally if you need to get a lawyer during litigation, and the costs get covered,” Cross said.

“A lot of the CISOs that I know who got nervous about this, they’ve gone back to their company and negotiated saying, ‘Hey, look at this SolarWinds case. Look at Joe’s case.’ I need to have independent representation.”

Cross emphasized the importance of getting insurance upfront before an incident occurs. “Imagine you’re in the middle of a security incident, and all of a sudden, you call the general counsel and say, ‘I need independent representation.’ Are they going to trust you for the rest of that incident? No. So you want to do it much in advance.”

Stick to convictions and values and challenge management

Another critical step CISOs can take to protect themselves from potential litigation is to challenge management when they suggest questionable actions. “Another really hard thing is you have to have the courage of your convictions to be a good CISO,” Blauner said.

Blauner recalled a situation in which one of his bosses, during preparation for a board meeting, shared pans for taking an issue to the board in a way that made Blauner uncomfortable. “And I basically told him, if you take this into the board meeting, and if they ask me, I’m going to disagree with you in front of the board.”

“Be upfront about it. Have the courage to sort of take that view.” He added, “If my boss hadn’t changed the presentation, I would’ve resigned.”

Despite rising concerns over possible indictments, CISOs should take comfort that “only one CISO has been indicted, and none have gone to jail,” Sullivan said.

“You should be paying attention to the advice we’re giving here, but it shouldn’t become the dominant thing in your head every day when you’re doing your job. We all joined this profession because we cared about protecting people, and that should be our primary focus every day.”