The Role Of The CISO๐Ÿ”ฅ๐Ÿ‘‰๐Ÿผ๐Ÿ‘ˆ๐Ÿผ

Scapegoat? ๐Ÿ Ethics? Whistleblower? Executive? Doing Their Job? Fingers are being pointed in all directions these days! ๐Ÿ‘‰๐Ÿผ๐Ÿ‘ˆ๐Ÿผ

These are all words that have come up lately in the news. Fingers are being pointed in all different directions. With such a lawsuit happy society and a nascent industry of cybersecurity, the waters are getting very muddy. Sit back and grab some popcorn. ๐Ÿฟ

I would love to write a full narrative on the Uber Trial, but todayโ€™s itโ€™s just some summary points.

Table of Contents

Is the CISO an Executive?

A lot of this comes down to where the CISO sits in an organization. Iโ€™ve written before about the Token Security Hire and how they really might not wield any power.

There was also a very interesting and relative discussion on Twitter to this topic. In the end, it really depends on where they sit in an organization and who ultimately is responsible for security. Is it the the CEO, CFO, GC, or CTO? Or is it in fact the CISO? This will directly relate to stress levels.

Uber CISO Under Fire

  • https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html

  • https://www.nytimes.com/2022/09/16/business/dara-khosrowshahi-ceo-uber-breach-trial.html

Whatโ€™s interesting is that Uber was not a public company at the time. Additionally according there are no federal laws (yet) requiring disclosure:

SEC Proposed Rules

This may change with new SEC proposed rules for Cybersecurity.

Believe it or not, public companies donโ€™t have any regulatory cybersecurity responsibility!

This would for the first time place a responsibility on those companies. I read the whole thing and hope to a full post on this.

Uber Hack

Whatโ€™s hilarious is that as Uber is in the news again this week for a breach of their systems. Again, it was a simple social engineering hack by a teenager. The problem at the end of the day was they had static admin credentials to EVERYTHING! ๐Ÿคฆ๐Ÿผโ€โ™‚๏ธ๐Ÿคฆ๐Ÿผโ€โ™‚๏ธ๐Ÿคฆ๐Ÿผโ€โ™‚๏ธ

Twitter Security

Twitter is in the news for not being ethical with its cybersecurity program.

Robert Graham has an excellent post on the matter:

Conclusion - Do A Tabletop, Often!

Cybersecurity is not easy. Why? Because many people outside of security donโ€™t know the full breadth of possibilities out there. We see it every, single, day.

So when the CISO makes a decision/recommendation and the CEO or their boss rebukes it, then what? Is there a paper trail? Is there a playbook for a scenario that was approved beforehand?

Security people have been worried about CYA forever.

Do a tabletop exercise and run through scenarios such as the ones discussed in these recent posts. It will open up everyoneโ€™s eyes and maybe save your job.

Reply

or to participate.