Weekly Video: October 10, 2022
10–10–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, October 10th, and this week we’re going to pull out a few lessons from a single news story, and we’re going to do it in 5 minutes or less.
Ex-Uber CISO Convicted of Covering Up Data Breach
Ex-Uber CISO Convicted of Covering Up Data Breach
Most of the information security leadership community spent their week reading, reacting, and reading reactions to the news that former Uber CISO Joe Sullivan was convicted by a Federal jury in San Francisco this week.
There are a lot of details surrounding the events of this case - and I’d encourage you to read the US DoJ’s press release as a summary, but let’s be clear on a couple of things:
Sullivan’s conviction is not about the fact that Uber got hacked, it’s that he actively worked to cover up the events, including lying to leadership, outside investigators, and failing to disclose events to the FTC.
Joe Sullivan knows better - he’s a former federal cybercrime prosecutor, having spent eight years in that role as an AUSA, and then senior security roles at both eBay and Facebook.
So, what can we take away from these events to help us make better decisions than what Joe Sullivan did?
First, I think we should recognize that cyber risk is now squarely in the crosshairs of regulators, and that boards and executive teams must be working to actively manage these risks in a comprehensive and coherent fashion.
In the facts of this case, Sullivan consulted with an internal attorney - but that attorney wasn’t part of the GC’s office. He also had the CEO’s permission to obfuscate the ransom payments as part of a bug bounty - and it should be worth noting that both of the hackers in this case have been separately prosecuted, and convicted.
New regulations are focusing explicitly on issues like this - including the proposed amendments from the New York Department of Financial Services which requires CISO independence (arguable if that existed here - likely should’ve gone to the Board with the issue) and the proposed cyber rules from the SEC that would require notification to the regulator within four days of an incident like this.
Second, I think we must also recognize that a CISO’s job is to manage organizational risk - not just technical risks. Sure, the risks they’re managing often manifest in conjunction with technology, but just like the rest of the C-Suite, they need to take a more comprehensive view.
If you haven’t run a table-top exercise simulating events like the ones that took place at Uber, and ensured that your communications and governance structure are appropriate for handling incidents like this, now is the time.
The amount of scrutiny on these risks is only going to increase. I don’t think it’s worth being overly alarmist around the threat of prosecution for CISO’s, but I do think that you’re going to see challenges in recruiting for this role in highly visible organizations, and an increase in CISO’s who raise these issues to the highest levels of the organization, and without appropriate reciprocation, will go to regulators and / or reporters when these events take place.
Improving organizational governance takes time and considerable effort. If you aren’t where you want to be on this front, it’s probably time to get started.
Fundraising
As we start Q4, we’ve got a pretty respectable $9.1B in newly committed capital, with a couple of multi-billion dollar funds announced. Maybe not the continuation of the scorching trend we saw in Q3, but more than $1b/day is nothing to shake a stick at.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://therecord.media/security-chiefs-fear-ciso-scapegoating-following-uber-sullivan-verdict/