Another Uber cybersecurity story is occupying a good chunk of the tech press and elements of the mainstream press today - this time regarding their ex-CISO being convicted in relation to a security breach at the company in 2016.
This is a story that demonstrates language is important, as well as recognising the need to understand a story before commenting on it.
Some key points from me:
He was NOT convicted for Uber having a breach - he was convicted of attempting to hide the breach.
He was NOT the scapegoat for the rest of the C-Suite - he personally made decisions and issued orders to subordinates that constituted a felony under US law.
This is not a specific condition of the cybersecurity world. In the UK (and I’m sure replicated in other legal jurisdictions), you have similar crimes such as for failing to report a motor vehicle accident.
Whilst the CISO is occasionally touted as the “fall guy” for a security breach - that is not what happened here. His unethical and illegal handling of the breach after it already happened, is the reason he was convicted.
The U.S. Department of Justice statement:
https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach