3 Critical Behaviors Every CISO Must Follow
Joe Sullivan, the former C(i)SO of Uber, has been convicted on federal charges related to ransomware payments he authorized in 2016 on behalf of the ride-hailing company. Sullivan was found guilty of obstructing justice for hiding the breach from the Federal Trade Commission and purposeful non-disclosure of a felony.
However, Sullivan is a seasoned and lauded security expert who formerly prosecuted cybersecurity crimes for the San Francisco U.S. attorney’s office, and also served in top security roles at Facebook, Uber, and Cloudfare. So, the guy knew his way around threat landscapes and the law.
It is interesting to note that many cyber experts today claim that times have changed in the ransomware landscape in the last six years. With hacks, breaches, and ransomware attacks against business now running rampant, some argue that the laws pertaining to Sullivan’s crimes are now obsolete.
Whether the conviction was warranted or somehow missed the mark, the dynamics of this case offer many important lessons for the cybersecurity community.
At what point, if ever, did Sullivan begin to see his mission as one to misrepresent the truth? Or to perform damage control? Or even to stage a cover up? Were there times where he was at least asking himself “What the hell am I doing?” or realizing “Well, this certainly can’t end well.”
I don’t know Sullivan personally so I can only speculate about how his motivation altered course over a period of time. Was he a bad apple and Uber didn’t do the proper background check? Again, his work prosecuting cybercrimes and his illustrious career at top companies would suggest otherwise.
For argument’s sake, I am going to assume that Sullivan was a wholesome guy, great at his job, and liked to get along with people. He cared for his company, he cared about his career, he loves his family, and all that. You know, like a lot of us.
The essence of the CISO role is to provide information about threats, weaknesses, risk, and remediation to leadership, to key stakeholders, and to decision makers. And in Sullivan’s case, to the Feds.
So then what went wrong?
Corporate Culture can be challenge anywhere, but it has been a big issue at Uber since the early days. The company espoused a culture based on meritocracy where the best will rise to the top, but bad behavior was overlooked so long as performance goals were met or exceeded. Apparently their core values included being “obsessed with the customer” and “always be hustlin’!’”
In this type of cutthroat, aggressive, unrestrained but myopic workplace so-called values give way to bad and often even nefarious behaviors. Uber has certainly received more than its fair share of accusations of aggressive and perhaps illegal incidents (including reports of a manager who had threatened to grab a bat and beat in the head of an underperforming worker).
The company has been in the news a lot about its toxic company culture. In 2017 an employee sued for sexual harassment in the workplace and the company settled in Federal Court. Contractor drivers have been both victims and the alleged perpetrators of serious crimes, including rape and murder. So top executives had to go.
At the core of the charges against Sullivan was his and Uber’s unwillingness to be forthcoming with the data breach and ensuing ransom demands. But was this self-serving hubris? Or the fear of admitting weakness, particularly in those years leading up to taking the company public? According to reports, Uber’s leadership was aware and approved of Sullivan’s actions throughout the company’s response to the 2016 ransom attack.
It may be that this was at its core about the culture of the organization. There is a reason Sarbanes-Oxley talks about the “tone at the top.”
However, with Sullivan’s background it’s hard to believe that he came in and started doing stupid things right away. It’s likely that issues were already at play when he took on the security job. As a new CISO, you generally have six months or less to identify all of the issues, document them in the permanent record, and attribute them to your predecessor. You will still be expected to solve them. But, if you don’t take this vital step, people won’t remember how they got there – and, more importantly, they won’t care.
Maybe Sullivan did the initial discovery and got everything on the record. Maybe he didn’t. Maybe he didn’t sweat the little stuff. With some of the Unicorns and startup mentality, minor issues such as compliance and security controls that cause friction in process are frequently underestimated and pushed off to be addressed at some undetermined time in the future. But all those little issues add up – death by a thousand cuts. Ignored, little issues almost always turn into big ones.
Somewhere along the journey Sullivan may have begun to feel responsible for any minor issues, even those that predated him. Maybe the chaotic and high-performance environment fostered silence concerning issues. Actually, the apparent similarities between the dynamic at Uber and Russian Military failures in Ukraine are uncanny. Both suffered from an environment in which serious issues, weaknesses, and lack of progress were not reported up the chain due to fear of the near-term consequences to themselves.
At some point, the rot takes hold, and it becomes exceedingly difficult to bring up past transgressions or issues. “Why wasn’t this brought up before?” It begins to reflect poorly on the leader. “I thought you were handling this.” It’s a vicious cycle and the issue of underreporting problems and overstating performance then continues in hopes that the issues don’t become big problems and the lack of performance isn’t discovered.
Data breaches and security incidents are stressful issues to deal with, even for seasoned cybersecurity professionals. By definition a breach means you are exposed and are vulnerable. A lot of questions have to be answered about how this happened and what were the control failures that led to the compromise. For a rising innovator in the transportation sector like Uber, admitting weakness is often not an option decisionmakers are willing to explore. It’s not good for their brand, it’s not good for their investors, and it’s not good for the business at large. It’s certainly not good for an impending IPO!
But in this case, it mostly wasn’t good for Sullivan. When the piper came calling, he was the fall guy. He became the scapegoat.
CISOs should learn from the Joseph Sullivan case and Uber.
Here are 3 Critical Behaviors every CISO should follow to avoid falling into the same trap as Joe Sullivan:
1. Stay True to Yourself and Your Values. As a CISO, you need to have unimpeachable character. That means you have integrity and a strong work ethic. And you also have a sense of the long-term aspect of your decisions; short-term gains can prove costly in the long run. Define a clear purpose and ground rules that define the organization’s security mission, how you value and protect customer and company data, and clearly outline the consequences if these principles are not followed. Make sure your team and the entire company know what kind of behavior is acceptable and what is not. Act with sincere candor; don’t sugarcoat the tough stuff. Take a stance if you perceive you are being asked to do something you know is not right. And don’t back down to pressure. If you need to, leave the company, but NEVER compromise on principle. The immediate challenge of having to find another job or feeling like you are going it alone within the leadership team does not compare to the potential consequences of compromising your own integrity.
2. Be Hyper Transparent. Be exceedingly forthcoming about all matters cybersecurity, whether it is the threats you face, the weaknesses the company is wrestling with, or the risks you have identified. Don’t be reluctant to share information, processes, documentation, plans and strategy, or the fact that you don’t have these. Others should review your work and your program. Tell anyone that will listen about the risks the company may be facing. If small issues are continually ignored, they may evolve into bigger, unmitigated risks. Use Auditors (internal and external) to draw attention to issues that aren’t being addressed by Management, regardless of how much you are discussing them. Auditors make information part of corporate records that management can’t ignore.
3. Put Decision-Making Where It Truly Belongs. Ensure that decisions are made by those with the authority to make them. Yes, that’s right. You may wear the CISO title, but chances are, you don’t have the authority to make the kind of decisions that Sullivan made, nor should you. Your job is to provide information about threats, weaknesses, and risks to those who have to make the hard decisions. Data comes in the form of graphs, numbers, figures, or statistics. There are a wealth of tools and resources at our disposal to help us provide business-language information, colorful graphics, and plenty of supporting data and studies. When this is analyzed and interpreted, it becomes Meaningful Information. The key though is understanding that this is truly the essence of the CISO job. As the Educator in Chief, you must continually educate your senior leadership team, business unit peers, and the entire company about the very real threats facing your organization, the investment (or lack thereof) you are making in protecting the it, the potential weaknesses you have discovered and monitor within the company’s systems and technology, and how your data is protected. When you succeed at this, the true decision makers can make good decisions.
One of my favorite quotes that really represents the plight of a CISO comes from the movie Pearl Harbor. In the film, Admiral Nimitz asks Captain Thurman, “So, sir, you would have us mobilize the entire fleet, at the cost of millions of dollars, based on this ‘spine-tingling’ feeling of yours?” Thurman replies, “No sir! I understand my job is to gather and interpret material. Making difficult decisions based on incomplete information from my limited decoding ability is your job, sir.”
That’s it! That. Is. It. Once you realize this dynamic, you will go far as a CISO. Or when leadership gives us full authority and the budget to set and uphold whatever standard of risk we feel is appropriate.
But don’t hold your breath on that one.
Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity strategy and solutions company. He is widely considered an expert in the field and is available for speaking engagements.