When to Quit Your CISO Job

In case you’ve been looking for one more reason to quit your CISO job, Uber’s highly publicized data breach case offered Chief Information Security Officers the opportunity to reassess their C-level security job and quit before it’s too late and avoid going to prison. In this article, we will cover Uber’s data breach case and suggest a few instances where it may be time to quit your CISO job. The terms CISO and CSO (Chief Security Officer) may be used interchangeably as organizations use both terms.

Uber’s Data Breach History

Following a data breach in 2014, Uber disclosed a security incident to the Federal Trade Commission which initiated an investigation of Uber’s security and privacy practices. Joe Sullivan was hired as CSO in April 2015 and soon after the FTC served Uber a Civil Investigative Demand which requested additional information about any other cases of unauthorized access to customer personal information, as well as Uber’s broader data security program and procedures. The CSO testified under oath and shared the steps that Uber had taken to safeguard personal information.

Just a few weeks after his testimony, hackers stole a large amount of personal data on November 14, 2016 and contacted the CSO and others at Uber via email to demand a ransom. Instead of notifying the appropriate external parties, the CSO decided to keep the hack a secret and pay off hackers in return for signed non-disclosure agreement. Is it possible that the CSO made this decision because he could not validate the hackers’ claim but did not want to take a risk so he decided to pay the ransom and make the problem go away? The other question we must ask ourselves is were internal parties such as the CEO and General Counsel aware and in agreement of the CSO’s arrangement with the hackers since according to the news reports hackers notified the CSO and other internal parties to demand ransom? However, according to evidence by the Department of Justice, the CSO never mentioned the incident to internal parties.

A new CEO who was appointed in August 2017 learned about the details of incident and decided to fire the CSO and disclose the data breach to the public and FTC as he determined personal data was involved which falls within consumer privacy and data breach notification laws.

First Cybersecurity and Data Breach Criminal Liability Case

On October 5, 2022, Joe Sullivan was found guilty of obstructing justice for keeping the breach from the Federal Trade Commission, which had been probing Uber’s privacy protection at the time, and of actively hiding a felony. This case is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. 

He now faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the deliberate concealment charge, pending sentencing and possible appeal results.

The CEO and other executives were not charged although the $100k ransom was paid to hackers as “bug bounty”. The question here is did the CSO pay the ransom out of his personal account without the knowledge of other executives to conceal his actions or, did the company approve the payment?

Who is responsible for data breach?

Identity Management Institute ran a LinkedIn poll titled who is responsible for data breach to seek feedback from its industry experts and interested parties about a recent data breach case.

Based on the votes, the majority of respondents believe the Chief Information Security Officer or CISO is ultimately responsible for cybersecurity and data breach response. Although this is a general poll question, “the security governance program, reporting structure, and budget approval process of an organization may ultimately determine who should be responsible for data security and data breach incidents”, according to Henry Bagdasarian.

When You Should Quit Your CISO Job

Chief Security Officers around the world must be asking themselves; will I be blamed and get fired if my organization faces a data breach? Will I have the support of other executives? Do I have the necessary resources to adequately prevent and respond to a data breach?

These are questions that all CSOs must ask themselves and if you can’t honestly answer these critical questions to your satisfaction, then it may be time to quit your CISO job because the reputational and career risk is very high. On the other hand, if companies don’t come up with an adequate security governance program to reassure their CISOs, they might have a hard time finding and keeping qualified experts to become their next CISO.

Below are a few circumstances that you must consider when determining whether it’s time to quit your CISO job according to the article “11 Reasons a Chief Security Officer Must Quit the Job”:

• The CISO role is not an executive role, does not report to a high-level executive, or reports to role that creates conflict of interest. Some CISOs report to low level IT managers or the Chief Information Officer leaving many gaps in the upward reporting process. “The problem with CISO reporting to the IT department and CIO is that data protection touches almost every department and process outside of the IT systems over which the CIO has no jurisdiction. Plus reporting IT security gaps to the CIO who is the owner of all systems and expecting the CIO to fix all issues in due time creates a conflict of interest.” according to Bagdasarian.
• The Chief Privacy Officer role is not well defined and assigned. In some organizations, the CPO role does not exist or is not well defined or assigned to a qualified person such as the General Counsel. The CSO role may be expected to also cover privacy, yet the job description may not reflect this responsibility.  
• There are many security gaps in a variety of areas that are not adequately remediated. Specifically, if these gaps are medium to high risk and have been in existence for a long time, it’s a red flag and clue that the organization as a whole has accepted the risk and the CSO alone is not responsible, yet the CSO may take the blame for a data breach at the end.
• The security team lacks financial support to add the necessary headcounts, buy cybersecurity insurance, or implement technical security solutions.
• Your boss ignores request for funding and seems careless about security gaps and risks.
• Your boss doesn’t have clout in the organization and is often not taken seriously by other executives.
• Board and CEO are not interested in security risks and don’t publicly support the security team.
• Board or management ignore request for funding, are not interested in understanding the risks, lacks motive, or have other priorities such as preserving shareholder value or the selling the company.
• You feel alone and unsupported during difficult times such as security incidents.
• You are expected to be unethical, tell lies, or keep quiet in the interest of the organization during incidents or audits by third parties such as customers or regulators.
• The CISO salary is well below the industry wages for your market. This is yet another indication that the CISO role is not taken seriously.

Conclusion

As a CISO, you should always assess your work environment and determine whether your organization is supporting you to perform ethically and competently. You should consider the career and reputational risks of not doing your job because of others. Specially, when it comes to regulations and contractual agreement, nothing should prevent you from adhering to the requirements and you should not accept short cuts. If you feel that you lack support to do your CISO job adequately or told to behave in a certain unethical manner, then, it’s time to quit your CISO job and move to another job. With these in mind, you should be able to ask the right questions in the interview process to assess whether the company and the CISO role is the right fit for you. If you notice red flags and still decide to take the job because it is a stepping stone in your career, consider whether the risk of going to jail is worth it.