Joe Sullivan, former CISO at Uber, was convicted last year for failing to disclose a data breach in full to customers and to investigators. While many CISOs opine on the ramifications his conviction will have on the CISO role and the risks to themselves in their careers, many are missing the deficiency in the CISO profession revealed by this case: a lack of standards for the CISO role, a lack of a commonly accepted code of ethics, and a lack of defined responsibilities. Sullivan was recently denied an acquittal by a federal judge after filing an appeal for his conviction to be overturned.
“Caretaking” when it comes to the role of the CIO, is often contrasted with “builder,” “change agent,” or other terms that indicate a more strategic and proactive approach than merely caring for the organization’s information. Caretaking has become a negative term and a synonym for “maintainer”. But caretaking is a vital and necessary component of servant leadership that a CIO must embody if they are going to treat the organization appropriately. Caretaking is an attitude and an approach toward the organization that reflects a deep sense of commitment. Caretaking means responsibility, obligation, and stewardship. It means that a CIO is operating according to a code of ethics – ethics that put the organization and its information first and foremost.
If one searches the Internet for “CISO as caretaker,” however, there is nothing obvious in these search results about this specific idea of caretaking as it relates to the CISO role. If one searches the Internet for “CISO code of ethics”, it is difficult to find codified lists or anything concrete that speaks to this caretaking obligation. Why does a search for “CIO code of ethics” return three times the results of “CISO code of ethics?” The first CISO role was formally created in 1995. We have had plenty of time to catch up with the CIO in the refinement of responsibilities, code of ethics, and general approach toward caretaking. Yet it seems that there is far less attention and energy on the CISO’s obligations to the organization than there should be…
Data Governance
Formal data governance doctrine specifies three main roles: data owner, data steward, and data custodian. The data owner is concerned with appropriate access to data and the risks associated with that access. This role is responsible for the classification, protection, and use of the data, and as a result, tends to be more conservative regarding access and usage. The data steward is a subject expert on the data itself, concerned with what that data means. This role generally operates under the aegis of the data owner and often wants folks using that data, despite the data owner’s intentions. The data custodian manages the data – backups, servers, networks, etc. This role knows precisely where the data is stored and where it is flowing but does not necessarily know how to use the data. IT, under the banner of the CIO, generally serves as the data custodian, and the connection between these concepts of “custodian” and “caretaker” is rather obvious.
[Discuss the role of the Chief Information Security Officer with other CISOs as a member of the CIO Professional Network.]
But where does the CISO fit in this data governance model? Where is the caretaking? The answer is in the governance itself. The CISO’s office ensures that data custodians implement appropriate (and reasonable) security controls to protect the confidentiality, integrity, and availability of the data (the “CIA triad”) as defined by the data classification schemas established by the data owner and/or data steward. This overarching governance of the data lifecycle implies a critical caretaking role.
This vital role of governance exists above this three-roles model and therefore remains somewhat ephemeral in nature despite a scope that overarches the three roles. A role with such reach should at least be defined with a notion of responsibility to the organization, right? As it turns out, searching the Internet for “CISO responsibilities” only yields a list of practical, technical, or material tasks, of the sort one would find in a job description. The notion of a greater responsibility eludes our attempts at investigation.
The Future of CISOs
What does all of the above mean? In 2022, twenty-seven years after the first CISO role was created, there is little to no material out there about the CISO’s role as caretaker, the CISO’s greater responsibilities towards the organization and its customers, stakeholders, and shareholders, or a code of ethics that would drive such responsibilities. This is hugely problematic and indicative of a lack of standards for our profession altogether. A common quip CISOs often share with one another to lament the immaturity of their profession goes, “Being a CISO today is like being a CFO before generally accepted accounting principles (GAAP) were invented!”
It is true that we don’t necessarily have centralized governing standards for the practical aspects of managing information-specific risk in the myriad environments in which we find the data we govern to reside, but we do have common frameworks like the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), The Center for Internet Security’s Critical Security Controls (CISv8), International Organization for Standardization’s ISO/IEC 27001:2022 Information Security Management (ISO 27001), and others. With regard to standardizing the practical aspects of the CISO profession, these frameworks can suffice for now. But what about caretaking? Ethics? Responsibility?
Just this year, the United States Securities and Exchange Commission (SEC) released its proposal “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” for US companies whose stocks are publicly traded. This is the first real attempt from a centralized regulatory body to begin speaking to roles and responsibilities from the Board of Directors down to the data custodians in a way that goes beyond the more tactical and tangible prescription of any of the above-listed frameworks. The most common prediction is that this proposal will be met with resistance, will take a long time to ratify, and will ultimately end up watered down from its current state, but many CISOs are bullish on this proposal because they recognize that it is the first step towards something like GAAP for CISOs.
To be fair, there are some vague prescriptions and plenty of other landmines in the SEC proposal (conflicting notions, ill-defined rules, steps that some say are impossible to achieve), but the spirit in which it is written serves as a significant step in centralizing some roles, responsibilities, ethics, and overall notions of caretaking for the CISO craft. For example, its mandated public disclosure of material breaches, or even non-material breaches which become material in aggregate would preclude the Sullivan problem.
Conclusion
So where does this leave us? While we wait on the SEC to finalize whatever edicts its proposal becomes, do we rest on our laurels? Do we point to NIST CSF, ISO 27001, CISv8, and other frameworks as our guideposts and declare that good enough? Or do we recognize that as a profession, CISOs need to think hard about what it means to be a CISO and a data caretaker, what it means to have responsibilities towards our organizations, our stakeholders, and shareholders, and to cooperate with one another to create and drive standards for the most important part of our profession – the guiding principles, ethical underpinnings, and drivers that establish the responsibilities of our role?
We don’t need an outside body to tell us how to behave. Ours is a noble calling – we are called to this profession to protect others. We can start with a simple list that incorporates the responsibilities such nobility represents: Protect the privacy, security, and safety of others – not just those whom we are chartered to protect, but the greater society, its members, and its infrastructure. Serve others – those who can benefit from our protective skills, those aspiring to join our profession, and those who wish to further their careers in our profession.
Act legally. Act truthfully. Act justly. Act responsibly. Serve with competence or do not serve at all.
