On November 9, 2022 Twitter CISO Lea Kissner resigned along with the company’s chief privacy officer and its chief compliance officer. The Washington Post and other media outlets reported that internal Slack messages at Twitter revealed serious concerns that new leadership was pushing for the release of products and changes without effective security reviews—and that this could put employees at risk.1 , 2 One message even shared a link to Whistleblower Aid, the law firm that represented former Twitter security head Peiter Zatko.
Why would a CISO worry about personally facing legal consequences for company cybersecurity decisions? I don’t have direct knowledge of Kissner’s motives. However, I do know that for the last several months CISOs have been talking to each other about how last October, a federal jury convicted the CISO of a major U.S company for covering up a data breach.
The jury found Joe Sullivan, a former Chief Security Officer, guilty of obstructing justice and actively failing to report a felony—charges stemming from “bug bounty” payments he authorized to hackers who breached the company in 2016. The company was already responding to an investigation into a 2014 breach but did not inform the FTC about the new breach in 2016. Sullivan didn’t make that decision alone: others in the company were looped in, including then-CEO Travis Kalanick, the Chief Privacy Officer, and the company’s in-house privacy/security lawyer. Nevertheless, Sullivan was the only employee to face charges.
How might CISOs handle their roles differently in a world where a poorly-handled breach won’t just get you fired—it might land you in prison? The following are my predictions for what CISOs will start to do in the near future, if they aren’t already.
Building stronger relationships with the board and executive leadership
Sullivan told his CEO about the breach, and what he intended to do about it. However, in 2017 Kalanick was forced to resign his CEO position over unrelated issues and his successor fired Sullivan when he learned the full story of what happened. To avoid being the one left holding the bag if things go wrong, I expect to see CISOs communicating much more with their executive leadership as well as the board of directors. The greater the shared responsibility for cybersecurity decisions, the less chance there is of one person being singled out to take the fall.
Pushing for greater transparency
Reporting on the Sullivan trial, one media outlet quoted a security expert as saying that handling hackers often occurs “in the shadows.” There are many problems with doing business under the cover of darkness, and one of them is that your own actions are obscured and left open to later interpretation by other hostile parties. To protect themselves, CISOs are likely to press for greater transparency at all levels, so there’s no guessing or finger-pointing later on.
Insisting on greater legal protections
The Sullivan case made it clear that corporate counsel is there to protect the company—not individual members of a leadership team. If the FTC, DOJ, or other law enforcement/regulatory entity comes knocking, CISOs will likely want to consult their own legal representation before talking to anyone and will insist on having their attorney present during any conversations with them.
In addition, we can expect to see CISOs advocating for organizational changes that will help ensure they’re protected in the event of a breach. Often a CISO is not an officer of the company, which means the law treats them differently than it does others in the C-suite. Look for more CISOs to insist on Director’s & Officer’s Insurance as a condition of taking (or remaining in) the job.
Quitting in the face of ethical compromise
CISO certifications come with a set of professional principles we must abide by, on top of our own personal integrity and principles. Even if the CEO and corporate counsel think it’s fine to withhold information from investigators, CISOs will find it hard to go along with that consensus when the potential consequences are so personally and professionally devastating. Expect to see more resignations from CISOs when their ethics are challenged—even on a purely practical level it’s easier to find a new position with your hands clean than it is to recover from scandal and prosecution.
Establishing formal escalation processes and procedures within the organization
Even though I’m leaving this prediction for last, it is perhaps the most critical step CISOs can take. The testimony in the case I described above showed a culture where the CISO had leeway to self-interpret the company’s security policies, and informal conversations took the place of robust processes. To protect themselves in the future, CISOs might insist that strong measures be in place to determine the impact of a breach, which in turn determines the escalation process. Those processes will ensure that certain team members and members of the board are automatically informed, and the CISO will document the steps they took at every stage.
These are just some of the approaches I’ve been hearing CISOs discuss. It’s also possible that the Sullivan conviction was an anomaly, and the risk they face won’t be as severe as some fear. But will CISOs want to roll those dice? Given that our role is to anticipate what could go wrong and have appropriate measures in place, I suspect they will choose to err on the side of greater personal security.