I'm a security executive. I'm keenly aware that my CISO, my peers and I are basically one bad day away from being scapegoated and put to the torch. It's an occupational hazard so pervasive it doesn't usually effect getting your next job. So one thing I make abundantly clear to my superiors and peers is I will not lie to people who can put me in jail under any circumstance. In practice, this has (rarely) caused friction but no one has seriously pressured me to change my stance.
Do what is right, regardless of incentives, culture, etc. I couldn't agree more. But the mishandling of the breach is indicative of failures at multiple layers, not just security. And I am not sure how his indictment fixes much.
That's a good point. There's an old Italian saying: "A fish rots from the head". It seems clear that executive management said "find a way to cover this up", and the CISO made every effort to do so.
Meanwhile the Executive Suite inhabitants walked away free as birds.
My opinion is that Uber is a scam, soaking unwise and/or unsmart investors and drivers alike, while the Executive Suite boys and girls get to have lots and lots of lovely moolah as salary and bonuses.