The Sullivan Case and Mudge’s Twitter Incident are two sides of the same coin both spelling trouble for CISOs. This weeks news that former Uber CISO Joe Sullivan was found guilty for failure to disclose a breach and lying to authorities about it rang a clear klaxon across the CISO and in fact the entire cyber security industry. But to view the Sullivan case on its own without comparing it to the recent twitter incident involving Mudge Zatko is I think missing the forest for the trees. They are two sides of the same coin staking out opposite ends of what a CISO should do. Do you take the “Nuremberg” defense of “just following orders” that Sullivan seemed to take or go for your “Jerry Maguire” moment to shine the light on the soft white underbelly of cyber negligence (if you believe that is what it was). Or maybe you walk with your feet and just get another job. What is a CISO to do?