Sign with logo at the headquarters of car-sharing technology company Uber in the South of Market … [+]
Uber’s former head of security, Joe Sullivan, was found guilty of obstructing an investigation by the Federal Trade Commission into Uber’s security practices on Wednesday. He was also charged with hiding a 2016 data breach from authorities. This serious offense could have far-reaching implications for other Chief Information Security Officers (CISOs)- especially on the outsourced fractional/virtual CISO business model.
On November 3, 2016, Sullivan was made aware of a data breach that had occurred at Uber. A hacker had gained access to the personal information of 57 million Uber users, including their names, email addresses, and phone numbers. Rather than reporting the breach to the authorities, Sullivan hid it. He then paid the hacker $100,000 to destroy the evidence and keep quiet about what had happened. This cover-up eventually came to light, and Sullivan was charged with obstruction of justice and witness tampering. He was fired from Uber in 2017 and pleaded not guilty to the charges in 2018. However, a jury found him guilty on all counts. He now faces up to 8 years in prison.
The court decision has CISOs questioning if they’ll face the same fate should a similar breach occur within their organizations. What might their recourse be? Do they follow their conscience and do the right thing or cover it up for the company? Will this blame trickle down to the non-executive CISOs that are “Chief” only in name? There are many questions left unanswered, and we’ll likely not find good solutions anytime soon.
Another area of concern is the growing fractional or virtual CISO industry. An increasing number of organizations are outsourcing their CISO responsibilities to individual consultants or firms. Might we see an increase in third-party CISOs as a risk mitigation strategy? It’s far easier to blame a consultant for a lapse in judgment than a tenured executive with close ties to the brand. Will organizations begin to require more exorbitant personal, business, and cyber liability insurance coverage from their consultants? For a small business or individual consultant, the cost of doing business and the risk of assigned liability appear to be joined at the hip.
The situation with Joe Sullivan is still unfolding, but there are already some clear lessons from this case. First and foremost is the importance of being transparent about data breaches. Companies cannot afford to try and cover these things up; it will only come back to bite them later on down the road. Furthermore, this sets a scary precedent for all CISOs, employed and third-party alike. In an age where data breaches are becoming more and more common, businesses must do everything possible to protect their customers’ information. Let’s just hope it doesn’t mean an increase in “sacrificial CISOs” for the good of the business.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
