How to survive as a CISO aka 'chief scapegoat officer'

RSAC Chief security officers should negotiate personal liability insurance and a golden parachute when they start a new job – in case things go sideways and management tries to scapegoat them for a network breach.

And if they blow the whistle, it's best not to sue their employer as well, lest they get blacklisted.

Those were among the nuggets of advice given at an RSA Conference panel on CISO whistleblowing Monday. Dd Budiharto – a former CISO at Marathon Oil among other roles at multiple Fortune 500 companies – told the audience one past unnamed employer fired her for refusing to sign off on bogus invoices. Preparation, relationships, and choosing not to sue helped her get out of the situation with her reputation intact.

"I'm proud to say I've been fired for not being willing to compromise my integrity," she said.

"My thoughts were, 'I actively cannot agree with what is happening, I have to use my voice, I have to speak up, I have to tell the leadership and then see how the leadership responds to that,' and then I had to make a tough decision. I have a family to take care of and did not have a golden parachute to fall back on, but it really starts with you as the person."

In this case, she refused to OK invoices for work consultants did not deliver. After escalating the matter to the leadership, she says, she was reprimanded and investigated by HR, and her line manager made a number of false accusations, which she was only able to refute thanks to strong relationships built with other members of staff. After she left, she says, the company found out she was right.

Although she did lose her job, she decided not to sue over the issue, saying such a move would leave a "black spot" on her record and may cause her employer to smear her throughout the industry. Besides, she already had another job lined up. All three of the CISOs on the panel agreed that was a wise move.

Another panelist said security officers should insist that bosses fund two insurance policies - directors and officers insurance (D&O) and personal legal liability insurance (PLLI) - before signing on to a new company. These policies have been standard for corporate officers for decades, explained Andrew Wilder, CISO of veterinarian network Vetcor and adjunct professor of cybersecurity at Washington University in the US.

"You want to have personal legal liability insurance that covers you, not while you are an officer of an organization, but after you leave the organization as well," Wilder said, adding that CISO meant "chief scapegoat officer" to some companies, who think firing their head of security after a cyber-incident will somehow help things.

"Both of these things are table stakes for CFOs, and have been for many, many years. I've talked with CISOs, who have been whistleblowers who have had to go to court later, and they've had to take all of those court costs personally, and you don't want to be in that situation."

Wilder cited the case of his friend Joe Sullivan, the former CISO of Uber, who was convicted of obstruction of justice and not reporting a crime after he covered up a 2016 security breach and tried to disguise a ransomware payment as a bug bounty. Sullivan hired a PR company during the court case to shore up and repair his reputation, and the Uber-provided PLLI covered the cost, Wilder noted.

• Average North American CISO pay now $565K, mainly thanks to one weird trick
• Trump's DoD CISO pick previously faced security clearance suspension
• Ex-Uber CSO gets probation for covering up theft of data on millions of people
• 70% of CISOs worry their org is at risk of a material cyber attack

It's also important to negotiate a golden parachute, Wilder commented, because that will make blowing the whistle a purely ethical decision, rather than a financial one.

Finally, while suing an employer might get you the cold shoulder, blabbing to the media is even worse.

"I think it's an even higher level of blacklist possibility if you go to the press," he said.

Document, and find allies

Even if there's no whistleblowing event on the horizon, CISOs should document everything they do and every conversation they have, warned Herman Brown, CIO for San Francisco's District Attorney's Office.

"Email is a great form of documentation that doesn't just stand for 'electronic mail,' it also stands for 'evidential mail,'" he opined.

After every meaningful phone conversation, Brown says he sends the participant(s) an email covering the major points. Not only is it good backside-covering practice, occasionally it has uncovered something that was miscommunicated, he said.

All the panelists agreed on this point. Not only does the practice lead to a discovery trail after an incident, but it's also very handy to keep an eye on operations, make sure everyone is on the same page, and keep board directors informed.

"The document, having governance, having policies in place, and having that on [the] document is educating your leadership team on cybersecurity and letting them know that cybersecurity is not just a CISO responsibility; it's an organizational responsibility."

Similarly, if the CISO attends board meetings they should make sure they all comments are entered into the meeting minutes, particularly if a controversial topic that impacts the CISO's role comes up. Such minutes can be very helpful if it all turns legal.

One final piece of advice from Budiharto was to be prepared when blowing the whistle. HR departments and ethics committees operate for the benefit of the employer, not the employee, she warned. If you raise the alarm, you are certain to be thoroughly investigated yourself. ®

Editor's note: This story was updated to: Correct Dd Budiharto's career history, as she reported to the CISO at Phillips 66 rather than worked as the CISO at the energy provider, which we previously incorrectly reported; correct that Budiharto refused to sign off invoices from consultants as opposed to software developers as first incorrectly reported; and to more accurately characterize her advice on HR departments and ethics committees. We regret the errors.