The Role Of The CISO🔥👉🏼👈🏼
Scapegoat? 🐐 Ethics? Whistleblower? Executive? Doing Their Job? Fingers are being pointed in all directions these days! 👉🏼👈🏼
These are all words that have come up lately in the news. Fingers are being pointed in all different directions. With such a lawsuit happy society and a nascent industry of cybersecurity, the waters are getting very muddy. Sit back and grab some popcorn. 🍿
I would love to write a full narrative on the Uber Trial, but today’s it’s just some summary points.
Is the CISO an Executive?
A lot of this comes down to where the CISO sits in an organization. I’ve written before about the Token Security Hire and how they really might not wield any power.
There was also a very interesting and relative discussion on Twitter to this topic. In the end, it really depends on where they sit in an organization and who ultimately is responsible for security. Is it the the CEO, CFO, GC, or CTO? Or is it in fact the CISO? This will directly relate to stress levels.
Uber CISO Under Fire
What’s interesting is that Uber was not a public company at the time. Additionally according there are no federal laws (yet) requiring disclosure:
SEC Proposed Rules
This may change with new SEC proposed rules for Cybersecurity.
Believe it or not, public companies don’t have any regulatory cybersecurity responsibility!
This would for the first time place a responsibility on those companies. I read the whole thing and hope to a full post on this.
What’s hilarious is that as Uber is in the news again this week for a breach of their systems. Again, it was a simple social engineering hack by a teenager. The problem at the end of the day was they had static admin credentials to EVERYTHING! 🤦🏼♂️🤦🏼♂️🤦🏼♂️
Twitter is in the news for not being ethical with its cybersecurity program.
Robert Graham has an excellent post on the matter:
Conclusion - Do A Tabletop, Often!
Cybersecurity is not easy. Why? Because many people outside of security don’t know the full breadth of possibilities out there. We see it every, single, day.
So when the CISO makes a decision/recommendation and the CEO or their boss rebukes it, then what? Is there a paper trail? Is there a playbook for a scenario that was approved beforehand?
Security people have been worried about CYA forever.
Do a tabletop exercise and run through scenarios such as the ones discussed in these recent posts. It will open up everyone’s eyes and maybe save your job.