Could a CISO Go to Prison?
Director at i-confidential
Uber’s former Chief Security Officer (CSO), Joe Sullivan, was recently convicted in relation to the handling of a data breach.
This should bring the issue of personal liability front and centre in the minds of all CSOs, Chief Information Security Officers (CISOs), and other security leaders.
Although this is a case of criminal obstruction following an incident, rather than the incident itself, it’s time to ask a stark question: “Could I go to prison?”
Regardless of the answer, it should encourage security leaders to check that there is clarity about accountabilities and responsibilities.
In the UK financial services sector, there is a good understanding of the “senior managers’ regime” and associated accountabilities. Each organisation identifies a role holder who is responsible for aspects of running the business and will be personally answerable to management and regulators.
However, the Uber case makes it necessary for executives across all industries to apply the same principles. They must ensure their personal responsibilities and accountabilities are documented and agreed. It’s also necessary to detail what an executive is not responsible for, by allocating those obligations to other role holders.
In a UK organisation, it is unlikely that the CISO or CSO will be accountable for informing a regulator of a data breach. However, doing so might be a default position if clear roles and responsibilities have not been documented and agreed.
Team8 CISO Village, in collaboration with SINET, have published a very useful guide for CISOs to protect themselves from legal risks and liabilities.
Although aligned to US law, the guide highlights the importance of:
Having the right employment contract.
Having clarity around roles, responsibilities, and internal processes for stakeholder engagement.
Operating in a culture of shared responsibility and accountability.
If you are managing any aspects of cyber security, you will find value in taking 30 minutes to read the document and consider its implications for your own circumstances.
There’s an old adage… nobody looks after you as well as you do.
If you can’t get the right personal employment contract, role definition, and responsibility allocation, it’s important to have an audit trail of the advice given to executives during every incident.
Finally, if you need to talk the issue over, try to find a mentor. i-confidential has plenty of experience and would be happy to help.