Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Leadership and ManagementSecurity & Business Resilience

CISO perspective on breach disclosure 1 year after Sullivan conviction

By Chris Hallenbeck
Uber-app-on-phone.jpg

Image via Unsplash

October 20, 2023

Breach reporting has changed drastically over the past year. The conviction of former Uber CSO Joe Sullivan for actively taking steps to hide a 2016 data breach — and subsequently holding back from fully disclosing details when questioned — certainly fed into a cascade of mandatory reporting rules and a spotlight on the CISO and CSO roles, prompting many top security chiefs to investigate their own breach disclosure processes and cyber risk strategies. Most recently, the Securities and Exchange Commission (SEC) required that any material cybersecurity incident be reported within four days of the company determining its impact.

Reporting a breach and its anticipated impact on a company invites considerable scrutiny from regulators, the public and potential litigation. In certain instances, an organization may even have to provide technical details relating to how certain vulnerabilities were compromised, as stated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Complying with regulatory disclosure requirements while balancing the need to protect the investigation and response efforts is not easy even on a good day. If an organization is impacted by multiple regulations across several countries or regions, a CISO is now maneuvering through a web of reporting, adding another layer of work to an already overstressed group of professionals. Gartner predicted earlier this year that almost half of cyber leaders will change jobs by 2025 and a full quarter will change career paths entirely due to the mental and emotional toll associated with their job. 

The first-ever federal prosecution of a CSO or CISO for how they handled a breach can certainly add to that stress if they haven’t successfully built out a disclosure plan.

CISO accountability and the need for better collaboration 

In the past, organizations sought to keep breaches quiet for a variety of reasons. Many times, this can be accomplished without breaking the law, but the shifting legal and regulatory landscape now requires that CISOs and CSOs consider their own personal liability and how best to reduce their exposure. However, it’s important to note that the case with Uber’s CSO was unique. It wasn’t his failure to disclose the breach of 57 million records and 600,000 driver’s license numbers, but his active effort to deceive regulators and the C-suite, including making factual assertions that were not true. Sullivan hid details from regulators, 10 days after he provided sworn testimony to the FTC. To maintain accountability with the Board and protect personal liability in the face of an incident, CISOs and CSOs need to set up a structure of delegation — an incident response plan that spans wider than their own teams.

It’s a well-known fact that a multi-departmental incident response plan should always be in the background, ready to go in case of a breach. CISOs should identity the key areas and contacts of the business that should be engaged, which include legal, IT/IT security and communications/PR, who are not bogged down with day-to-day security tasks and can help alleviate the pressure so that CISOs and their teams can focus on attending to the breach.

Being an effective security leader in today’s world is as much about people skills within the organization as it is the technical know-how. It is security leaders’ job to get all teams to buy in, as it is virtually impossible for one team to have eyes on every piece of the incident disclosure process. The legal team needs to be involved from the beginning, as do the communications and customer management teams, so that messaging can be effectively developed and disseminated after a breach occurs.

The broader impact of mandatory reporting laws

Ultimately, the actions being taken by the SEC, FTC, CISA and other agencies in putting forth breach disclosure mandates can be commended. The sharing of threat and incident intelligence takes the spotlight off any individual company and can bring us all together as an industry committed to a singular mission — protecting people. It’s important to understand that Sullivan was not charged for the breach occurring nor were the cybersecurity strategies in place during his leadership accused of being insufficient. He was found guilty of actively taking steps after the breach to hide the existence of the intrusion. Failure to report a breach, no matter how unequipped a security team claims they were, is bad, but actively hiding a breach is even worse. 

This ruling has also been empowering security leaders. Although it may not have been true in the Sullivan case, some security leaders are pressured into sweeping things under the rug for the sake of public image. By placing real punitive measures in place to prevent that, the ruling helps spur security leaders to either walk away or blow the whistle in these instances.   Rather than remaining on the defensive by refusing to share information for fear of industry backlash, organizations need to remember that the dissemination of incident intelligence helps the cybersecurity community better combat bad actors.

At the end of the day, while no security leader wants the threat of prosecution hanging over their head, a year out from the ruling, I think we are starting to see some positive culture shifts. The headline generating nature of this ruling brought more attention to what security leaders are held responsible for and it can be a rallying point for the whole industry to refocus on working together. 

KEYWORDS: CISA CISO CISO leadership data breach SEC regulations Uber

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Chris Hallenbeck is the CISO at Tanium.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Person working on laptop

Governance in the Age of Citizen Developers and AI

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

patient at healthcare reception desk

Almost Half of Healthcare Breaches Involved Microsoft 365

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Gavel and block

    One year after SEC cyber disclosure ruling, security leaders weigh in

    See More
  • Man in suit looking out at city

    A CISO's perspective on the modern cybersecurity landscape

    See More
  • Jill Knese Podcast Header

    Balancing Risk and Innovation - A CISO Perspective

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing