You are here: American University Kogod School of Business News A Culture of Resilience, Not Security


Uber’s Need to Foster 'a Culture of Resilience'

By  | 

Uber app on a phone
Credit: Crain's New York Business

By now, you're probably pretty familiar with the scandal surrounding Uber's latest data breach disclosure. This past November, the company announced that, over a year ago, a hacker stole a plethora of personal information from drivers and passengers. The breach was no small potatoes-57 million passengers' names, e-mail addresses and phone numbers were stolen, along with driver's license details for 600,000 U.S. Uber drivers.

What's more, Uber admitted to paying the hacker $100,000 to delete the stolen data, and to keep quiet about it. There's speculation that he was paid through a bug bounty program, an outsourced service used to identify potential cyber vulnerabilities, making the pay-off even more atrocious.

While these are undoubtedly major missteps by both business and legal standards, they can actually be channeled into positive outcomes for the company, according to Rebekah Lewis, Director of the Kogod Cybersecurity Governance Center (KCGC). They could be an opportunity for new leadership to signal a shift and re-shape the company's culture, demonstrating they are honest, forthright and able to appropriately manage future breaches.

"Uber doesn't necessarily need to change their security measures-they need to change how they handle incidents and communicate about their security," Lewis says. "Instead of a culture of security, they need to foster a culture of resilience."

Lewis' recommendations are reflective of a larger misconception about cybersecurity and business. When a breach happens, the general assumption is that a company's security measures were not strong enough. While this is true in some cases, in many cases, incidents may not be the result of unreasonable security practices.

Uber itself is a great example. After the company's 2014 breach, they invested in stricter cybersecurity policies and procedures to protect against future mishaps. To regain the public's trust, they even published a 40 page report on their website where experts on data privacy and security positively assessed their practices.

The reality is that data breaches will happen, no matter how secure a company is deemed. Businesses should be working to foster resilience-which Uber's new CEO Dara Khosrowshahi is working to do-so that they can successfully bounce back from security breaches.

This fact certainly doesn't negate Uber's poor decisions, or excuse the company's dishonesty; it does, however, offer them a rare opportunity to redeem themselves as an open, communicative business.

What about when a company's cybersecurity program does have major holes in it, though? Where can businesses turn to strengthen their security measures?

That's also part of a larger problem.

"It's difficult to pinpoint which measures organizations should focus on to improve their security programs because there's no standard of care right now," Lewis says. "There's no homogenized system business leaders can turn to."

This creates unclear security expectations for companies, and a lack of accountability. And, because there's not a consistent set of "rules" to weigh breaches against, there also are not clear legal implications when one happens. This is one of the issues with the latest Uber breach-it's not immediately clear where to assign blame, or how to address the problem legally.

There is one framework already created that holds potential-NIST's 2014 Cybersecurity Framework. The document provides a systematic methodology for improving one's cybersecurity infrastructure, as well as recommendations for risk management. Its meaningful implementation amongst companies is spotty and inconsistent, though, limiting its impact on the field.

As we move into 2018, Lewis predicts that, more and more, we will see companies seeking out ways to holistically improve their security programs, including their incident response plan, in order to avoid reputational harm and legal liability. Adoption and robust implementation of the NIST Framework, which is flexible enough to permit company-specific tailoring, would be the most prudent approach, advises Lewis. This will also require more involvement from high-level executives, as implementing a framework demands careful, intentional integration across a company's departments.

It's also reasonable to anticipate that we'll see more active disclosures of data breaches. Companies will begin to cultivate "cultures of resilience," as Lewis describes, rather than only focusing on security as the avoidance of incidents. Uber's a prime example of what can happen when a breach is not disclosed-loss of public trust and damaged reputation among the more difficult consequences to measure.

So, what lies ahead for Uber in the wake of their 2017 data scandal? They'll undoubtedly need to repair their reputation, and show their customers that they're honorable. And they'll certainly need to address the growing number of law suits filed against them.

Their biggest charge, though, is re-defining their culture. According to Lewis: "It is surprising that they chose to cover something up, rather than be forth-coming. Yes, there's things they can do to improve from a security perspective, but what's most important is how they handle future incidents. This is how they can become a trustworthy and resilient company."

Read more about Rebekah Lewis and her work with the KCGC.