- Last Week As A vCISO
- Posts
- The Role Of The CISO๐ฅ๐๐ผ๐๐ผ
The Role Of The CISO๐ฅ๐๐ผ๐๐ผ
Scapegoat? ๐ Ethics? Whistleblower? Executive? Doing Their Job? Fingers are being pointed in all directions these days! ๐๐ผ๐๐ผ
These are all words that have come up lately in the news. Fingers are being pointed in all different directions. With such a lawsuit happy society and a nascent industry of cybersecurity, the waters are getting very muddy. Sit back and grab some popcorn. ๐ฟ
I would love to write a full narrative on the Uber Trial, but todayโs itโs just some summary points.
Table of Contents
Is the CISO an Executive?
A lot of this comes down to where the CISO sits in an organization. Iโve written before about the Token Security Hire and how they really might not wield any power.
There was also a very interesting and relative discussion on Twitter to this topic. In the end, it really depends on where they sit in an organization and who ultimately is responsible for security. Is it the the CEO, CFO, GC, or CTO? Or is it in fact the CISO? This will directly relate to stress levels.
Why is the CISO role seemingly more high stress than CFO, COO, CRO, CIO, General Counsel, or CTO?
Is it because we havenโt fully figured it out yet?
Not given it proper resources?
Not given it proper authority as an actual C-level executive?
Something else?โ Frank McGovern (@FrankMcG)
9:24 PM โข Sep 8, 2022
Uber CISO Under Fire
https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html
https://www.nytimes.com/2022/09/16/business/dara-khosrowshahi-ceo-uber-breach-trial.html
Whatโs interesting is that Uber was not a public company at the time. Additionally according there are no federal laws (yet) requiring disclosure:
SEC Proposed Rules
This may change with new SEC proposed rules for Cybersecurity.
Believe it or not, public companies donโt have any regulatory cybersecurity responsibility!
This would for the first time place a responsibility on those companies. I read the whole thing and hope to a full post on this.
Uber Hack
Whatโs hilarious is that as Uber is in the news again this week for a breach of their systems. Again, it was a simple social engineering hack by a teenager. The problem at the end of the day was they had static admin credentials to EVERYTHING! ๐คฆ๐ผโโ๏ธ๐คฆ๐ผโโ๏ธ๐คฆ๐ผโโ๏ธ
Twitter Security
Twitter is in the news for not being ethical with its cybersecurity program.
Robert Graham has an excellent post on the matter:
Conclusion - Do A Tabletop, Often!
Cybersecurity is not easy. Why? Because many people outside of security donโt know the full breadth of possibilities out there. We see it every, single, day.
So when the CISO makes a decision/recommendation and the CEO or their boss rebukes it, then what? Is there a paper trail? Is there a playbook for a scenario that was approved beforehand?
Security people have been worried about CYA forever.
Do a tabletop exercise and run through scenarios such as the ones discussed in these recent posts. It will open up everyoneโs eyes and maybe save your job.
Reply