THE CONVICTION last fall of Uber’s former CISO, Joe Sullivan, continues to make waves among security professionals—and rightfully so. It’s an unprecedented event that will have a ripple effect on the entire industry.
Convicting Sullivan on charges of covering up a data breach involving millions of Uber user records is a clear warning that the federal government is taking action. Moving forward, the Ubers of the world won’t be the only ones under increased scrutiny. However, for many managed service and managed security providers, there is a lot of confusion surrounding what this incident might mean for them. To complicate matters, MSPs work with hundreds of clients on average, adding an extra level of complexity to breach disclosure and the issue of responsibility.
So now the question is: What can MSSPs and MSPs do to protect themselves and their companies?
Personal accountability is complicated and puts many in the industry on edge. Before the case against Sullivan, companies were the ones held responsible for keeping customer data safe. There are several examples of companies getting hit with massive fines and penalties (e.g., Equifax, Capital One), but never before has a security professional been criminally charged for decisions made during a cybersecurity incident. While this was a first, it certainly won’t be the last.
This conviction forces all MSSPs/MSPs—particularly leadership—to take a step back before making a decision to ensure they are doing their due diligence. There are a lot of unknowns in the world of cybersecurity, but the federal government is looking at whether an investigation was purposefully misled or if a known breach was not disclosed in a timely fashion. The key word is purposeful.
Security is not foolproof, but you must make the best decision based on available information. In theory, everyone should already be doing this, but in some companies, doing the right thing is not a clear-cut decision. Unclear internal guidelines, conflicting priorities, and multiple individuals involved in the decision-making process can create confusion.
If your customer, for example, prioritizes growth over everything else, you will need to push back. More than ever, an alignment of values that extends across your customer’s organization will be important.
Putting Customer Information Above All Else
Some companies are creating a new role of chief trust officer, who focuses on the customer data collected and processed. This is to ensure a company is always doing the right thing regarding customer data.
For anyone in the world of cybersecurity, the Sullivan/Uber case is a reminder that we have an innate responsibility to protect our company, but above all else, our customers. For MSPs specifically, they need to have a firm handle on what is happening at the companies they work for and upfront guidelines regarding breach notification. While MSPs work for their clients, they are also responsible for the safety of their clients’ customer data.
Threats are becoming more sophisticated and common, and regulations are consistently evolving. So, while cybersecurity leaders should be held accountable in obvious cases of negligence, it’s important to remember that we are all operating in a complex landscape. We don’t want to discourage people from entering the cybersecurity space (one already woefully understaffed) or force security leaders to work in a state of constant worry. It’s about finding balance: Leaders should be held accountable, but within reason.
MIKE ARROWSMITH is chief trust officer at NinjaOne, developer of a unified IT management solution.
