What Uber’s Joe Sullivan Case Means For ‘Sacrificial CISOs’

Uber's former head of security, Joe Sullivan, was found guilty of obstructing an investigation by the Federal Trade Commission into Uber's security practices on Wednesday. He was also charged with hiding a 2016 data breach from authorities. This serious offense could have far-reaching implications for other Chief Information Security Officers (CISOs)- especially on the outsourced fractional/virtual CISO business model.

CISOs, CTOs and CIOs need to spend more time talking candidly with people who’re hands-on with incident response and “white hat” stuff.

They really need a breadth of experience - it’s not as if they can afford to be hit by every conceivable attack vector to figure out the best responses and preventative measures; they need to learn from the experiences of others.

A competent C-suite understands that cyber security isn’t one of those things you can just silo internally and hide bad news from your supply chain, customers and regulators.

A truly resilient business doesn’t hide - it participates in industry forums like ISACs to communicate risk vectors. It promotes a speak-up culture. It doesn’t just run performative “don’t fall for spam!” training for the purposes of ticking a compliance box.

Over here in the UK, one enterprise that fell foul of a massive cyber security breach that brought it to its knees for months gives talks to other organisations in the sector, explaining exactly what happened, how it happened, how much hard work it took them to minimize the damage, how much harder it was to restore operations fully, and what lessons they learned.

Whatever reputational and financial damage they may have suffered in the breach has been recovered by their taking such strong leadership. Their candor and mentoring of even small businesses to ensure they don’t make the same mistakes, has made them heroes in their sector.

Probably a boring angle but I see this as the conflict between outdated MBA management practices, and cyber resilience. In the past, it’d be quite fun for a large corporation to watch a competitor lose out badly to some cyber criminal act, and just bury bad news when it comes, but these days that mentality could put you out of business.

The supply chain might overlap between you and your competitor - if they get hit, you get hit. So it is vitally important for business resilience to have your business partners AND suppliers AND competitors all sharing their experiences (within reasonable circles of trust). Hiding things from the regulators and the industry has false economies.

Maybe not so much in the USA, but COVID remote working transformations followed the same pattern. The businesses that innovated successfully helped others (including competitors!) to adapt - and they all benefited massively from the reputational boost.

It’s the ones who made a big secret of them actually doing very little to adapt, and then made a complete hash of it while going it alone, who suffered the most.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.