‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure

SAN FRANCISCO - RSA CONFERENCE 2024 — The role of chief information security officer (CISO) is rapidly turning into one of the most important -- and most stressful -- roles at an organization as cyberattacks continue to plague companies at record levels.

A panel discussion on Tuesday at the RSA Conference in San Francisco explored the modern perils of the CISO position and how IT leaders should respond to an escalating threat landscape that threatens to blow back on senior security executives.

One member of the panel was all too familiar with the dangers of being in the security hot seat: Joe Sullivan, the former CSO of Uber, was indicted after a 2016 breach exposed the data of 56,000 Uber users. He avoided jail time but was sentenced to three years of probation and to pay a $50,000 fine. [Editor’s note: Contributor Carrie Pallardy had a two-part interview with Sullivan that appeared in InformationWeek last year].

Sullivan told the audience that what’s even more important about what a company does after a breach -- is what the company says both internally and externally. Authorities are increasingly focusing on communications.

Sullivan, who now runs his own security consultancy, says his experience has changed some attitudes about the CISO role.

Related:SolarWinds, CISO Targeted in SEC Lawsuit

“I’ve been getting calls from people who are considering taking on a CISO role ... they would call and say, ‘Hey Joe, how do I get the job? What do I say when I get interviewed by a CFO or general counsel?’ Now, when I get those calls, it’s ‘Do I really want the job?’”

The panel also included Gadi Evron, founder and CEO of AI security firm Knostic, Charles Blauner, president of Cyber Aegis, and David Cross, senior vice president and CISO of Oracle SaaS Cloud. Sullivan noted that despite the name of the discussion, “CISOs Under Indictment: Case Studies, Lessons Learned, and What’s Next,” that he was “the only one that was actually indicted” to laughs from the audience.

Evron said the rise in pressure on CISOs directly correlates with the rise in cybercrime. “The heat is (coming) because the reality is that you’ve got these entities in government, who are responding to the huge rise in cybercrime. It’s not like the old days, where there’s an incident and most people wouldn’t notice. When stuff happens today, the whole world knows.”

How CISOs Can Lower the Temperature

So what should a CISO do now that the pressure is turned up? Sullivan said the key is to create standards that spread security responsibility throughout leadership.

Related:SolarWinds Fires Back at SEC Fraud Charges

“I think we need to embrace really objective standards, really clearly document them to the board,” he said. “We need to get away from the world where all the decisions were made by the security team. They need to be made at the CEO and board level and they need to sign off on everything.”

One audience member asked about liability that companies face surrounding employees’ email communications. Blauner said there was no easy answer, but there are a couple things IT leaders can do.

“One is to raise awareness about just being professional in your communications,” he said. “I always told my team, if you want to vent, come into my office and yell at me. Don’t put it in an email. You can create a culture that allows people to communicate more professionally. The other thing it comes back to is governance around risk … if you have good governance, and you have good process around how you escalate and manage risks, I think it takes a lot of the danger from some of that chatter away.”

Oracle’s Cross said it’s also important for CISOs to have clear documentation defining the role and responsibilities within each organization.

“It’s all about documentation,” he said. “Who has clear documentation of your role and responsibility? [A small portion of the audience raised their hands]. If you’re in the 5% of the audience that has clear roles and responsibilities documented, that’s why you’re in trouble. It’s not documented. So why can’t you be blamed?”

Related:The CISO Role Is Changing. Can CISOs Themselves Keep Up?