• December 5, 2022

Claire’s Deal Raises Questions About Macy’s Overreliance On Partnerships

Macy’s has been pursuing opportunities to grow its business through store-within-a-store partnerships and in its latest alliance is teaming up with Claire’s to open shops inside 21 Macy’s stores, including eight …

Crypto Winter Unwind Still Has Legs To Run And Run

Are there any perma-bulls left in crypto? There don’t seem to be many left so I must admit to wanting to buy bitcoin now, but I am not going to because …

CJEU On Taxes: As Goes Fiat, So Goes Apple

Back in 2016, the U.S. Department of Justice announced it was hitting Deutsche Bank with a $14 billion fine relating to its dealings in mortgage-backed securities. The irregularities occurred years earlier, …

Yesterday, Uber’s former head of security, Joe Sullivan, was found guilty of obstructing an investigation by the Federal Trade Commission into Uber’s security practices. He was also charged with hiding a 2016 data breach from authorities. This is a serious offense, and it has far-reaching implications for other Chief Information Security Officers (CISOs) and the outsourced fractional/virtual CISO business model.

On November 3, 2016, Sullivan was made aware of a data breach that had occurred at Uber. A hacker had gained access to the personal information of 57 million Uber users, including their names, email addresses, and phone numbers. Rather than reporting the breach to the authorities, Sullivan hid it. He then paid the hacker $100,000 to destroy the evidence and keep quiet about what had happened. This cover-up eventually came to light, and Sullivan was charged with obstruction of justice and witness tampering. He was fired from Uber in 2017 and pleaded not guilty to the charges in 2018. However, a jury found him guilty on all counts. He now faces up to 8 years in prison.

The court decision has CISOs questioning if they’ll face the same fate should a similar breach occur within their organizations. What might their recourse be? Do they follow their conscience and do the right thing or cover it up for the company? Will this blame trickle down to the non-executive CISOs that are “Chief” only in name? There are many questions left unanswered, and we’ll likely not find good solutions anytime soon.


Another area of concern is the growing fractional or virtual CISO industry. An increasing number of organizations are outsourcing their CISO responsibilities to individual consultants or firms. Might we see an increase in third-party CISOs as a risk mitigation strategy? It’s far easier to blame a consultant for a lapse in judgment than a tenured executive with close ties to the brand. Will organizations begin to require more exorbitant personal, business, and cyber liability insurance coverage from their consultants? For a small business or individual consultant, the cost of doing business and the risk of assigned liability appear to be joined at the hip.

The situation with Joe Sullivan is still unfolding, but there are already some clear lessons from this case. First and foremost is the importance of being transparent about data breaches. Companies cannot afford to try and cover these things up; it will only come back to bite them later on down the road. Furthermore, this sets a scary precedent for all CISOs, employed and third-party alike. In an age where data breaches are becoming more and more common, businesses must do everything possible to protect their customers’ information. Let’s just hope it doesn’t mean an increase in “sacrificial CISOs” for the good of the business.


Leave a Reply

Your email address will not be published.