These are all words that have come up lately in the news. Fingers are being pointed in all different directions. With such a lawsuit happy society and a nascent industry of cybersecurity, the waters are getting very muddy. Sit back and grab some popcorn. 🍿

I would love to write a full narrative on the Uber Trial, but today’s it’s just some summary points.

Share

Is the CISO an Executive?

A lot of this comes down to where the CISO sits in an organization. I’ve written before about the Token Security Hire and how they really might not wield any power.

Last Week As A vCISO

The Token Security Hire

Many organizations have the wrong expectations when hiring security leaders. Some look at it as a checkbox requirement to meet their third party security requirements… but not really looking for effective security (which requires change). Some others are expecting this security person will come in and magically make everything secure, without additional…

Read more

2 years ago · Ayman Elsawah

There was also a very interesting and relative discussion on Twitter to this topic. In the end, it really depends on where they sit in an organization and who ultimately is responsible for security. Is it the the CEO, CFO, GC, or CTO? Or is it in fact the CISO? This will directly relate to stress levels.

Frank McGovern @FrankMcG

Why is the CISO role seemingly more high stress than CFO, COO, CRO, CIO, General Counsel, or CTO? Is it because we haven’t fully figured it out yet? Not given it proper resources? Not given it proper authority as an actual C-level executive? Something else?

9:24 PM ∙ Sep 8, 2022

---

226Likes20Retweets

Tweet This!

Uber CISO Under Fire

• https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html

• https://www.nytimes.com/2022/09/16/business/dara-khosrowshahi-ceo-uber-breach-trial.html

What’s interesting is that Uber was not a public company at the time. Additionally according there are no federal laws (yet) requiring disclosure:

SEC Proposed Rules

This may change with new SEC proposed rules for Cybersecurity.

Believe it or not, public companies don’t have any regulatory cybersecurity responsibility!

This would for the first time place a responsibility on those companies. I read the whole thing and hope to a full post on this.

Uber Hack

What’s hilarious is that as Uber is in the news again this week for a breach of their systems. Again, it was a simple social engineering hack by a teenager. The problem at the end of the day was they had static admin credentials to EVERYTHING! 🤦🏼‍♂️🤦🏼‍♂️🤦🏼‍♂️

Last Week As A vCISO

I Read So Many IR Posts This Week, Here Are My Thoughts

I started writing this post a week ago, and in that time frame several additional breaches and security incidents have come up since Twilio and Lastpass, almost on a daily basis. Not since the Solarwinds attack has there been so much fallout on so many companies…

Read more

9 months ago · Ayman Elsawah

Twitter Security

Twitter is in the news for not being ethical with its cybersecurity program.

Robert Graham has an excellent post on the matter:

Conclusion - Do A Tabletop, Often!

Cybersecurity is not easy. Why? Because many people outside of security don’t know the full breadth of possibilities out there. We see it every, single, day.

So when the CISO makes a decision/recommendation and the CEO or their boss rebukes it, then what? Is there a paper trail? Is there a playbook for a scenario that was approved beforehand?

Security people have been worried about CYA forever.

Do a tabletop exercise and run through scenarios such as the ones discussed in these recent posts. It will open up everyone’s eyes and maybe save your job.

Tweet This!