There seem to be two reactions to the verdict in the Sullivan case. One reaction, often from CISOs already stressed by being outside the room where it happens, is to decide that being a CISO isn\u2019t worth the risk \u2013 it already wasn\u2019t worth the stress. If the title is really Chief Scapegoat Officer, it\u2019s one thing to lose your job, but your freedom? That\u2019s across the line. The second reaction seems to be nonchalant. What\u2019s the big deal, after all? It\u2019s just one person, and there was some shady stuff going on over at Uber.Going to jail as a CISO is a new and novel risk, and humans tend to react strongly to surprising risks, especially when they hit close to home. Joe Sullivan is the first CISO to be in this position, and many in the security industry knew him, so it\u2019s reasonable to take this a little personally. But professionally? Most CISOs aren\u2019t going to find themselves in Joe Sullivan\u2019s shoes.If you haven\u2019t been maniacally following the trial (I haven\u2019t either), the central issues seem straightforward: Uber was under investigation for privacy issues. Uber had a data breach. The attackers extorted Uber. Uber paid them through their bug bounty program (albeit by modifying the bug bounty program to meet the hackers\u2019 demands). Uber did not disclose this breach to the federal investigators. Those facts don\u2019t seem to be in contention. What did seem to be in contention was who knew all the details. Was it just Joe Sullivan? Was it Uber\u2019s other lawyers? (Sullivan was also wearing the hat of deputy general counsel.) Was it the other executives?4 steps for CISOs to stay out of jailUber\u2019s early startup culture was heavily driven by its founder, Travis Kalanick, and calling that culture \u201ctechbro\u201d isn\u2019t nearly evocative enough. While it can be tempting to want to be the hero and turn around an organization, recognize that you\u2019re at heightened risk \u2013 both of finding convenient shortcuts and in inheriting a program that probably has a lot of weaknesses. Moving into a company that was just starting to care about user privacy, and which the government was already paying close attention to, was a risky move.Your first step for staying out of jail? Stay out of that type of situation, or, if you find yourself in it, hold very tightly to your values.There is a difference between a security researcher and an attacker. A security researcher might compromise your systems and get access to your data repository, but they stop before they exfiltrate your data. They might redact a screenshot, or take a tiny sample of something, and then they will carefully track where everything went. They\u2019ll contact you under a name that ties back to them. The researcher hopes you\u2019ll pay them a bounty, especially if you have a bug bounty program, but they risk you deciding not to pay. Their only recourse if you don\u2019t pay is to disclose the vulnerability publicly to embarrass you.An attacker takes your data. They hold it hostage and demand that you pay them, or they\u2019ll do something nefarious \u2013 sell the data to a broker or just publish all your data. They started by doing you harm, and the reputational harm is only a piece of it.Your second step for staying out of jail? Don\u2019t use the tools for engaging researchers (who did not breach your data) with the tools for engaging attackers (who did).Whether you suffer a data breach or \u201cjust\u201d have a vulnerability found by a third party, you have a duty to publicly disclose it. Sometimes, that duty comes from legal or regulatory regimes, and you might have a time limit to disclose. Other times, that duty comes from harm minimization. If an adversarial third party knows you have a weakness, you negate a lot of risk by fixing it and telling the world. The adversary loses any hold on you, because now they can\u2019t disclose anything interesting.Your third step for staying out of jail? Don\u2019t hide data breaches.Now, if your company is under investigation by the government, for anything, be really careful about what you hide from the investigators. Being non-responsive, especially in an area they are actively scrutinizing, is a serious problem.Your fourth step for staying out of jail? Don\u2019t actively mislead government agents who are investigating your company.If your company violates the above rules, make sure you aren\u2019t the scapegoat. If there are communications between you and other executives, especially if they pressure you to break these (or other) rules, keep receipts. Retain your own lawyer. (Remember, your company\u2019s lawyers have no obligation to you, just to the company.) Make sure they get a copy of the receipts, because when you leave the company, you\u2019ll lose access to your inbox. If your inbox is the only place you had evidence that it was a company decision, and not you acting as a rogue executive, you won\u2019t be able to keep that evidence. This step might not keep you out of jail, so it\u2019s hard to call it a fifth step, unless the act of keeping evidence makes it harder for your conscience to accept being complicit in breaking the above rules.Should I take that next CISO gig?This verdict probably shouldn\u2019t be the deciding factor in whether you\u2019re going to be a CISO. For most people who are aiming to be CISOs, this isn\u2019t a significant enough risk to alter their decisions. For a small handful of executives \u2013 maybe the \u201cCISO-stars\u201d who do step into high-risk, high-profile situations \u2013 this may dissuade them from a dangerous situation. For most CISO candidates, though, this verdict shouldn\u2019t change your career plans.Try not to make the same mistakes that Uber did.