· ·
Uber CISO trial: accountability is not abstract
Joe Sullivan's case is a hard watch for CISOs. Worth watching for the implications, not only the timeline.
In late 2016 Uber had a data breach. Joe Sullivan, then CISO, later faced felony charges tied to how that breach was handled and reported. In May 2023 he was sentenced to three years' probation.
That sentence is not a trivia item for CISOs. It is a reminder that "security leadership" can mean personal legal exposure when breach handling, disclosure, and executive pressure collide.
This conversation with Joe (hosted by Todd) walks the timeline - and, more usefully, what the industry still gets wrong about accountability, escalation, and who actually owns the decision to tell regulators and customers.
A few things I keep coming back to when founders ask about CISO models:
- Accountability sticks to a person. You can outsource work. You cannot outsource the consequences of silence or spin. I wrote more about that split in fractional CISO vs vCISO: accountability vs responsibility.
- Breach response is a leadership problem first. Tools and playbooks help. They do not decide whether bad news reaches the board on time.
- If your CISO only hears about incidents after legal has drafted the story, you already failed the control. Late involvement is how people end up choosing between careers and compliance.
Watch it if you hold the title - or if you hire someone who does. The interesting part is not the courtroom drama. It is whether your org would put the same person in that corner.
Find this on LinkedIn and give it a thumbs up: Uber CISO trial: accountability is not abstract
Related
- Fractional CISO vs vCISO: accountability vs responsibility for who owns what when roles blur
- CISO vs vCISO vs fractional CISO for picking a model that fits