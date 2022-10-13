This is a challenging time to be a CISO. The security community has been eagerly following multiple stories regarding Uber in the past few weeks. From the play-by-play of their recent major hack, to last week's guilty verdict of former Uber security chief Joe Sullivan, CISOs are facing considerable challenges.

The verdict in the Sullivan case found him guilty of obstructing a federal investigation and concealing a felony from the government. According to the New York Times: "Stephanie M. Hinds, the US attorney for the Northern District of California, said in a statement: 'We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.'"

The government is sending a message to CISOs in the US — disclose and potentially lose your job, or cover up and go to jail. If they disclose information to the government, they meet compliance regulations, but their job will be on the line. A breach, especially one in which personally identifiable information (PII) is compromised, will result in a lawsuit and the CISO will likely get fired.

But the punishment for noncompliance, inability to demonstrate full disclosure, or any gray zone in the middle is now personal (unlike other regulations where noncompliance results in fines for the company). Covering up a breach, in the Uber case, and then further hiding details of the hack in the context of a federal investigation, can result in prison time.

This case also brings to light a new challenge for CISOs: "What did you know?" Concealing information is an important part of this case and verdict. Hiding information by saying "I didn't know" isn't an answer for a CISO with a data breach — it reflects negligence at best and is at worst a lie. Security teams need to know — and most likely do know about their security posture, from the many security tools they use — and what they know can't be concealed.

The Sullivan case has enormous gravity for the security industry. What can we expect from CISOs? Are these expectations fair?

Managing Expectations for CISOs

According to proposed legislation, the expectations are as follows. From the Form 8-K (6-K) Disclosure About Material Cybersecurity Incidents (PDF) — the following rules will be added:

New Item 1.05 of Form 8-K will require SEC-reporting companies to disclose a material cybersecurity incident within four business days of determining that a material incident has occurred.

The company must determine the materiality of a cybersecurity incident "as soon as reasonably practicable" after discovery of the incident.

The SEC indicated last year in a cybersecurity enforcement action that companies must maintain disclosure controls and procedures designed to ensure that all available relevant information concerning any cybersecurity incident is analyzed for timely disclosure in the company's SEC reports.

"Cybersecurity incident" means an unauthorized occurrence on or through company's information systems that jeopardizes the confidentiality, integrity, or availability of a company's information systems "or any information residing therein."

The question is, what should CISOs do? They're already deploying multiple security solutions. On-premises, cloud, endpoint detection, firewalls, ransomware recovery, workload protection … the list goes on and on. Still, hackers get in — as in Uber's case — often by simply nagging an employee to click on a phishing link. Millions of dollars on attack prevention and "user XYZ" takes the system down.

Ways to Aid CISOs

I've been working in security for most of my career, building the tools that keep hackers out. I'd like to propose a few ways we can help CISOs out of the complicated situation they're in.