Close this search box.
Close this search box.

In Light Of The Twitter Whistleblower Testimony, Key Questions Every Board Needs To Ask

© AdobeStock
Directors would be wise to take a lesson from Twitter's unfortunate time in the spotlight by asking themselves these 6 questions.

Following the testimony of Peiter “Mudge” Zatko in front of the Senate Judiciary Committee, I’ve been reviewing his whistleblower complaint as well as the supporting documents. It’s been an opportunity to take a retrospective look at what data security policies should have been established at Twitter and learn from the past. What this testimony has also revealed, however, is implications for how data security is governed, ranging from the board to regulatory bodies. It’s become clear that the future of data security lies in the hands of these groups, and it all begins with an organization’s board members.

Board members must now ask themselves what the implications would be for their business—and them—if they were to find themselves in a similar situation. They’ll need to ask the hard questions and figure out whether they not only have specific capabilities or plans in place to address the issues raised, but also to deal with more esoteric trust issues. Questions like: “Can I believe the current security status reports?” or “Are we being told everything important about security or is some information being purposefully withheld?” These questions are, sadly, questions that aren’t easy to answer with a simple yes or no, even by the people preparing the reports.

Board members must start with a set of questions about the current state of data security that can be answered with evidence-based responses from the CISO. While it is perhaps unfair to expect any CISO new to an organization to be able to answer these questions, they still need to be asked.  With an average tenure of 18 to 24 months, most CISOs could quite fairly be described as “new.” Their focus is more on simultaneously trying to invest strategically in new capabilities while reacting to the latest incident(s), than on unraveling years of technical debt and discovering where data that’s accumulated over the years came from or why they were collecting it in the first place.  This results in a parade of CISO’s failing to make meaningful change—unless, that is, the Board focuses their attention on meaningful change by asking the following simple questions.

Key Questions Every Board Member Should Ask Their CISO

Are development, test, staging, and production environments kept separate from each other?

If the various environments are not separated from each other, organizations are setting the stage for unauthorized users to access data they should not be able to, regardless of the controls put in place.

Least privilege has always been a clear principle underpinning cybersecurity in all its forms and is usually a specific principle adopted within organizational security policies. It’s also been a clear principle in modern privacy laws, with clear direction provided that data should only include that which is required to fulfill a specific purpose. Enterprise leaders must ensure that each environment is properly architected to only allow access to the right users, in order to prevent data leakage from occurring.

Do we know what data is in each environment?

Mudge noted that one of his concerns was that Twitter didn’t know what data it was collecting. But this isn’t the only problem. In fact, it only sets the groundwork for the broader problem, particularly amid concerns over unfettered foreign government activities in and around Twitter; Twitter employees have too much access to too much data and too many systems, because data is everywhere.

Developers and engineers do not need access to personal information in any environment outside of production, but CISOs struggle to enforce this, because they simply do not know what data they have in each environment, trusting that it isn’t sensitive data.

What access do new employees have to this data?

In a continuance of examining user access permissions, boards must also consider what access new employees are given to the organization’s data. This will naturally be dependent on their role, as they will need to learn their responsibilities, however, granting them too much access may lead to excessive permissions that are hard to revert.

Are errors and failed login attempts being monitored?

If organizations are not monitoring and recording errors and failed login attempts, they are losing out on the ability to identify potential risk right away. It is vital that the board maintains visibility into this type of activity, so that the organization can identify problems before they arise, as well as potential attack targets and avenues.

Are there appropriate steps in place to backup data and protect backup data?

Boards also must consider whether the organization’s data security posture management (DSPM) strategy includes adequate steps and procedures to guard against ransomware and other destructive data failures. As we’ve discussed, adopting zero trust and least privilege policies can help prevent unauthorized access to sensitive data, but additional resilience is required.

Creating and testing backups of data also give organizations insurance that data cannot be destroyed or accidentally deleted. If this is not a policy that’s not already in place, leadership should consider implementing this practice to protect enterprise data and safeguard against potential issues.

Are we compliant to our own data security policies?

The telling part of Mudge’s testimony is that without the required visibility, it’s obvious that best intentions and data security practices were impossible to comply with. Systemic failure to adhere to your own security policies and privacy laws are the types of issues that can’t be unseen at the board level and will require a clear commitment to reducing unnecessary data and/or access.

So, will Mudge’s testimony be a catalyst to get specific investment and focus from boards in addressing data flow visibility and reducing unnecessary data and access in other organizations? While data-savvy boards understand that it will take time to rectify years of neglect, this is a problem that will likely generate greater focus from regulators in the short term.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.