https://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1727392520218001o5wv
https://www.theregister.com/2025/04/28/ciso_rsa_whistleblowing/
Chief Information Security Officers should negotiate personal liability insurance and golden parachute agreements when starting new roles to protect themselves in case of organizational conflicts, according to a panel of security experts at the RSA Conference.
During a session on CISO whistleblowing, experienced security leaders shared cautionary tales and strategic advice for navigating the increasingly precarious position that has earned the role the nickname “chief scapegoat officer” in some organizations.
Dd Budiharto, former CISO at Marathon Oil and Philips 66, revealed she was once fired for refusing to approve fraudulent invoices for work that wasn’t delivered. “I’m proud to say I’ve been fired for not being willing to compromise my integrity,” she stated. Despite losing her position, Budiharto chose not to pursue legal action against her former employer, a decision the panel unanimously supported as wise to avoid industry blacklisting.
Andrew Wilder, CISO of veterinarian network Vetcor, emphasized that security executives should insist on two critical insurance policies before accepting new positions: directors and officers insurance (D&O) and personal legal liability insurance (PLLI). “You want to have personal legal liability insurance that covers you, not while you are an officer of an organization, but after you leave the organization as well,” Wilder advised.
Wilder referenced the case of former Uber CISO Joe Sullivan, noting that Sullivan’s Uber-provided PLLI covered PR costs during his legal proceedings following a data breach cover-up. He also stressed the importance of negotiating severance packages to ensure whistleblowing decisions can be made on ethical rather than financial grounds.
The panelists agreed that thorough documentation is essential for CISOs. Herman Brown, CIO for San Francisco’s District Attorney’s Office, recommended documenting all conversations and decisions. “Email is a great form of documentation that doesn’t just stand for ‘electronic mail,’ it also stands for ‘evidential mail,'” he noted.
Security leaders were warned to be particularly careful about going to the press with complaints, which the panel suggested could result in even worse professional consequences than legal action. Similarly, Budiharto cautioned against trusting internal human resources departments or ethics panels, reminding attendees that HR ultimately works to protect the company, not individual employees.
The panel underscored that proper governance, documentation, and clear communication with leadership about shared security responsibilities are essential practices for CISOs navigating the complex political and ethical challenges of their role.