I had a really interesting discussion with some CISO friends last week about how the CSO/CISO role will change after the guilty verdict of Uber CISO Joe Sullivan (I’ll refer to this as the Uber verdict going forward). Here are my personal thoughts:
The Scope of Liability Has Changed
The Uber verdict has now set the precedent that a CSO can be held personally liable for security failures at an organization. This means data breaches, security incidents, regulatory and compliance audits, external inquiries and bug bounties all carry increased weight for them to be handled appropriately according laws, industry regulations, corporate policies and ultimately how you handled the event should it end up in court.
The Uber verdict also demonstrated that there is a limitation to how much coverage and protection a company will provide to a CSO / CISO after major security events have occurred.
While this may sound ominous and extremely concerning, I don’t think it should be. Ultimately, if you aren’t breaking the law, have a well defined security plan and are documenting your progress I don’t think you need to do anything different as a result of this verdict.
Negotiate For Protections
While you may not need to do anything differently with respect to your security program, I do think it will become industry standard for CSOs to negotiate protections as part of an employment contract. Prospective company’s should plan to add CSOs to their corporate liability coverage for executives and can also expect existing executives or prospective candidates to push for written assurances that they will be covered legally and will not be sued by their employer.
The Role Will Be Elevated
Ultimately, all of this will result in elevating the CSO role to be on par with other C-Level positions such as the CEO, CFO and even Chief Counsel who all carry significant levels of risk in their positions. The security industry and ultimately the CSO role are relatively young compared to other C-Level positions and so I think the Uber verdict will give the role a hefty shove forward and help it find equal footing with some of the other more tenured C-Level positions.
In the end this means companies will begin taking the role more seriously as they are forced to add the role to their corporate liability policy, provide legal protections as part of employment contracts and begin offering the same level of weight to the CSO role as they do to other C-Level roles.
Ultimately This Is A Good Thing
While it may sound concerning that a CISO was held personally liable for a security event at a public company I think this is the exception, not the norm. The circumstances of this particular verdict clearly demonstrated non-standard behavior and a good example of what not to do when dealing with federal investigators.
However, I do think it has caused a certain amount of pause and reflection within the CSO / CISO community. CSOs are now beginning to consider if their programs are sufficient to stand up to external scrutiny and they are asking what they need to do to protect themselves going forward. This will result in existing or new candidates asking for protections, which will eventually become standard. As the protections become standard it will cause companies to take the role more seriously and ultimately give it the same weight as other high risk C-Level positions.
370 Security Blog 
One thought on “How Will The CSO Role Change Post Uber?”