Bob Hayes Shares Insights on Sullivan Conviction
October 12, 2022 –
SEC Managing Director Bob Hayes recently shared his thoughts on the recent conviction of former Uber CSO Joseph Sullivan, and its implication for security professionals, with SecurityInfoWatch.com. Sullivan was convicted in federal court on October 5 on charges of obstruction of justice and misprision of a felony for taking steps to conceal a 2016 data breach involving 57 million Uber users.
Hayes, former CSO of Georgia Pacific and 3M, cautions corporate security leaders not to look at this incident as unique to cybersecurity or to Uber. “Security people have always been subjected to criminal and civil risk in what they do every day, because people, companies, information, brand get damaged when security isn't managed well,” he told SIW. “There are a lot of cases where CSOs have gone to jail when their behavior became criminal.”
Legal risk can come not only from malfeasance but from misunderstanding of legislation, negligence, and even miscommunication about responsibility. Hayes emphasized the criticality of documentation of security processes and behaviors, clear delineation of roles and responsibilities, and communication of risk to all stakeholders. “Do you understand the law? Is your role really clear? Are you in agreement with management on how these things are going to be handled? Do you have good processes in place? Do you run tabletop exercises to see if everybody's on the same page? Make sure you have concurrence on the mitigation strategies, and make sure that your roles and responsibilities are clearly defined.”
In those instances, like the Sullivan case, where a security leader is tempted to intentionally break the law, Hayes hopes this case will have a silver lining: “I think security people will be more determined than ever to do the right thing.”
Click here to read the full article from SecurityInfoWatch.
About the Security Executive Council
The Security Executive Council is the leading research and advisory firm focused on corporate security risk mitigation strategies and plans. We work with security leaders to transform security programs into more capable and valued centers of excellence. Watch our 3-minute video
for a quick overview or visit us at www.securityexecutivecouncil.com
Manager, External Relations