Twitter's CISO Takes Off, Leaving Security an Open Question
Lea Kissner was one of three senior executives to quit this week, leaving many to wonder if the social media giant is ripe for a breach and FTC action.
November 10, 2022
Twitter CISO Lea Kissner has become the latest high-ranking executive to leave the company following Elon Musk's controversial $44 billion acquisition of the social media giant last month.
In a tweet Thursday, Kissner said they had resigned from Twitter but did not offer any reason for the decision. "I've made the hard decision to leave Twitter," Kissner wrote. "I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done."
It's unclear who is now in charge of security at the tech behemoth, or how much manpower is devoted to it. In the less than two weeks since he took charge, Musk has laid off some 3,700 Twitter employees so far, or roughly half of its workforce.
Executive Exodus?
Kissner's resignation follows the reported resignations of two other high-ranking Twitter executives this week: chief compliance officer Marianne Fogarty and chief privacy officer Damien Kieran. Casey Newton, founder and editor of Platformer, on Wednesday reported the exits of Fogarty and Kieran based on messages shared in Twitter Slack, which he claimed to have seen.
Twitter did not immediately respond to a Dark Reading request seeking confirmation of the reported resignations of Fogarty and Kieran.
Alex Stamos, former CSO at Facebook, described the exits of Kissner, Fogarty, and Kieran as a big deal for Twitter.
"Twitter made huge strides towards a more rational internal security model and backsliding will put them in trouble with the FTC, SEC, 27 EU DPAs and a variety of other regulators," he said — ironically, in a tweet. "There is a serious risk of a breach with drastically reduced staff."
Many others also view the cuts and the exodus of senior executives — both voluntarily and involuntarily — as severely crippling the social media giant's capabilities, especially in critical areas such as security, privacy, spam, fake accounts, and content moderation.
"These are huge losses to Twitter," says Richard Stiennon, chief research analyst at IT-Harvest. "Finding qualified replacements will be extremely expensive."
Kissner's exit is sure to add to what many view as a deepening crisis at Twitter following Musk's takeover. Among those that have been axed previously are CEO Parag Agarwal, chief financial officer Ned Segal, legal chief Vijaya Gadde, and general counsel Sean Edgett. Teams affected by Musk's layoffs reportedly include engineering, product teams, and those responsible for content creation, machine learning ethics, and human rights.
"The prospect of so many executives leaving Twitter's security management organization at once is a warning sign for several reasons," says Curtis Franklin, an analyst with Omdia.
For one thing, a great deal of institutional knowledge is walking out the door that is unlikely to be shared with incoming peers. The simultaneous exists of multiple executives will also likely disrupt ongoing processes such as regulatory and legal compliance, he notes.. "And finally, when so many executives leave at once it indicates that there is an organizational lack of dedication to and support for the offices and functions that are being vacated. That may be the most troubling sign of all," Franklin says.
For his part, Musk has described the cuts as being necessitated by a catastrophic drop in ad revenue because major companies are suspending their ad spending on the platform following his takeover.
Potentially Severe FTC Impact
Twitter's most immediate concern might be on the compliance front. In response to a Dark Reading inquiry, a Federal Trade Commission (FTC) spokeswoman said the agency is taking note of what's going on at Twitter.
“We are tracking recent developments at Twitter with deep concern," the spokeswoman said in an emailed statement. "No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
Twitter is currently already under heavy FTC scrutiny. In May, the agency slapped Twitter with a $150 million fine for violating the terms of a previous 2011 consent decree involving the use of deceptively collected data — such as email and phone numbers — for ad targeting.
In announcing the fine, the FTC also imposed fresh restrictions on the company's ability to use account security data to sell targeted ads. The FTC consent decree, among other things, prohibits Twitter's use of phone numbers and email addresses to serve ads. The decree requires Twitter to provide users with multifactor authentication options that do not involve phone numbers and requires the company to notify users about any improper use of phone numbers and emails and explain how they can turn off personalized ads.
The FTC has also asked Twitter to strengthen its privacy program, implement a beefed-up information security program, and submit to security audits by an independent third party.
The company's ability to live up to these commitments is sure to remain a focus at the commission following the recent layoffs and executive exodus at the company.
And indeed, Newton — the reporter who saw Twitter's Slack feed — quoted an employee as saying that for the moment, at least, it is up to Twitter engineers to “self-certify compliance with FTC requirements and other laws."
Stiennon says it would not be surprising if the three executives who resigned this week left because the new regime does not value what they do and treats their functions as secondary to the business goals.
"The teams have been cut to the quick," Stiennon says, "and the leaders are resigning because they cannot fulfill their responsibilities when they are understaffed and under resourced."
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024