RSAC Chief security officers should negotiate personal liability insurance and a golden parachute when they start a new job – in case things go sideways and management tries to scapegoat them for a network breach.
And if they blow the whistle, it’s best not to sue their employer as well, lest they get blacklisted.
Those were among the nuggets of advice given at an RSA Conference panel on CISO whistleblowing Monday. Dd Budiharto, a former CISO at Marathon Oil and Philips 66, told her audience one past unnamed employer fired her for refusing to sign off on bogus invoices. Preparation, relationships, and choosing not to sue helped her get out of the situation with her reputation intact.
“I’m proud to say I’ve been fired for not being willing to compromise my integrity.” she said.
“My thoughts were, ‘I actively cannot agree with what is happening, I have to use my voice, I have to speak up, I have to tell the leadership and then see how the leadership responds to that,’ and then I had to make a tough decision. I have a family to take care of and did not have a golden parachute to fall back on, but it really starts with you as the person.”
In this case, she refused to OK invoices for work a developer hadn’t delivered. After escalating the matter to the leadership, she says, she was reprimanded and investigated by HR, and her line manager made a number of false accusations, which she was only able to refute thanks to strong relationships built with other members of staff. After she left, she says, the company found out she was right.
Although she did lose her job, she decided not to sue over the issue, saying such a move would leave a “black spot” on her record and may cause her employer to smear her throughout the industry. Besides, she already had another job lined up. All three of the CISOs on the panel agreed that was a wise move.
The CISO panel at the RSA Conference. From left, moderator Dorene Rettas, Herman Brown, Dd Budiharto, and Andrew Wilder.
Another panelist said security officers should insist that bosses fund two insurance policies – directors and officers insurance (D&O) and personal legal liability insurance (PLLI) – before signing on to a new company. These policies have been standard for corporate officers for decades, explained Andrew Wilder, CISO of veterinarian network Vetcor and adjunct professor of cybersecurity at Washington University in the US.
“You want to have personal legal liability insurance that covers you, not while you are an officer of an organization, but after you leave the organization as well,” Wilder said, adding that CISO meant “chief scapegoat officer” to some companies, who think firing their head of security after a cyber-incident will somehow help things.
“Both of these things are table stakes for CFOs, and have been for many, many years. I’ve talked with CISOs, who have been whistleblowers who have had to go to court later, and they’ve had to take all of those court costs personally, and you don’t want to be in that situation.”
Wilder cited the case of his friend Joe Sullivan, the former CISO of Uber, who was convicted of obstruction of justice and not reporting a crime after he covered up a 2016 security breach and tried to disguise a ransomware payment as a bug bounty. Sullivan hired a PR company during the court case to shore up and repair his reputation, and the Uber-provided PLLI covered the cost, Wilder noted.
It’s also important to negotiate a golden parachute, Wilder commented, because that will make blowing the whistle a purely ethical decision, rather than a financial one.
Finally, while suing an employer might get you the cold shoulder, blabbing to the media is even worse.
“I think it’s an even higher level of blacklist possibility if you go to the press,” he said.
Document, and don’t trust HR
Even if there’s no whistleblowing event on the horizon, CISOs should document everything they do and every conversation they have, warned Herman Brown, CIO for San Francisco’s District Attorney’s Office.
“Email is a great form of documentation that doesn’t just stand for ‘electronic mail,’ it also stands for ‘evidential mail,'” he opined.
After every meaningful phone conversation, Brown says he sends the participant(s) an email covering the major points. Not only is it good backside-covering practice, occasionally it has uncovered something that was miscommunicated, he said.
All the panelists agreed on this point. Not only does the practice lead to a discovery trail after an incident, but it’s also very handy to keep an eye on operations, make sure everyone is on the same page, and keep board directors informed.
“The document, having governance, having policies in place, and having that on [the] document is educating your leadership team on cybersecurity and letting them know that cybersecurity is not just a CISO responsibility; it’s an organizational responsibility.”
Similarly, if the CISO attends board meetings they should make sure they all comments are entered into the meeting minutes, particularly if a controversial topic that impacts the CISO’s role comes up. Such minutes can be very helpful if it all turns legal.
One final piece of advice from Budiharto was never to trust human resources or ethics panels within a company. HR departments operate for the benefit of the employer, not the employee, she warned, and if you blow the whistle against a boss you are certain to be thoroughly investigated yourself. ®
