This is a challenging time to be a CISO. The security community has been eagerly following multiple stories regarding Uber in the past few weeks. From the play-by-play of their recent major hack, to last week's guilty verdict of former Uber security chief Joe Sullivan, CISOs are facing considerable challenges.
The verdict in the Sullivan case found him guilty of obstructing a federal investigation and concealing a felony from the government. According to the New York Times: "Stephanie M. Hinds, the US attorney for the Northern District of California, said in a statement: 'We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.'"
The government is sending a message to CISOs in the US — disclose and potentially lose your job, or cover up and go to jail. If they disclose information to the government, they meet compliance regulations, but their job will be on the line. A breach, especially one in which personally identifiable information (PII) is compromised, will result in a lawsuit and the CISO will likely get fired.
But the punishment for noncompliance, inability to demonstrate full disclosure, or any gray zone in the middle is now personal (unlike other regulations where noncompliance results in fines for the company). Covering up a breach, in the Uber case, and then further hiding details of the hack in the context of a federal investigation, can result in prison time.
This case also brings to light a new challenge for CISOs: "What did you know?" Concealing information is an important part of this case and verdict. Hiding information by saying "I didn't know" isn't an answer for a CISO with a data breach — it reflects negligence at best and is at worst a lie. Security teams need to know — and most likely do know about their security posture, from the many security tools they use — and what they know can't be concealed.
The Sullivan case has enormous gravity for the security industry. What can we expect from CISOs? Are these expectations fair?
Managing Expectations for CISOs
According to proposed legislation, the expectations are as follows. From the Form 8-K (6-K) Disclosure About Material Cybersecurity Incidents (PDF) — the following rules will be added:
- New Item 1.05 of Form 8-K will require SEC-reporting companies to disclose a material cybersecurity incident within four business days of determining that a material incident has occurred.
- The company must determine the materiality of a cybersecurity incident "as soon as reasonably practicable" after discovery of the incident.
- The SEC indicated last year in a cybersecurity enforcement action that companies must maintain disclosure controls and procedures designed to ensure that all available relevant information concerning any cybersecurity incident is analyzed for timely disclosure in the company's SEC reports.
- "Cybersecurity incident" means an unauthorized occurrence on or through company's information systems that jeopardizes the confidentiality, integrity, or availability of a company's information systems "or any information residing therein."
The question is, what should CISOs do? They're already deploying multiple security solutions. On-premises, cloud, endpoint detection, firewalls, ransomware recovery, workload protection … the list goes on and on. Still, hackers get in — as in Uber's case — often by simply nagging an employee to click on a phishing link. Millions of dollars on attack prevention and "user XYZ" takes the system down.
Ways to Aid CISOs
I've been working in security for most of my career, building the tools that keep hackers out. I'd like to propose a few ways we can help CISOs out of the complicated situation they're in.
- Get rid of tools that alert on every potential attack or misconfiguration. A generation of alert-based security tools pinging security teams for every small thing has made the situation worse. There is no way for a security team to keep up with the hundreds of alerts, mostly false alerts, that their security tools provide. They need to be able to see a real-time incoming attack, in the context of their specific assets – one that provides a sequence of events identifying immediate risk to the company's most valuable assets. We need to do better to support security teams with tools that provide value, not just alerts.
- Retool. Regulators expect CISOs to be able to detect, analyze, and understand impact of real attack events (vs. potential misconfigurations) fast. This requires retooling and rethinking much of the security software "stack" to ensure that we're keeping a step ahead of hackers. Using dated techniques is one area that often results in friction between security best practices and reality.
- Work more closely with government on the important regulations that are being proposed for legislation. To protect our CISOs from falling into felony territory, we need legislation that protects the public while also protecting CISOs that come forward and report data breaches. CISOs who genuinely plan for every attack scenario (and can show this planning) but find themselves outsmarted by hackers should not be penalized by the companies they serve.
- Align security goals. Many organizations are moving too fast to focus on security — and it will catch up with them. Development teams are increasingly leveraging agile techniques like CI/CD (continuous integration, delivery, and deployment) to deliver new and innovative features quickly and maintain a competitive advantage. And security is not part of the dev team's or any typical employee's everyday thought process — but it must be. Organizations must have a security strategy that permeates the organization so everyone — developers, marketing, HR, finance, the board, and everyone else share the responsibility with the CISO and security teams. All employees play a role in securing data assets.