Twitter’s most senior cybersecurity staffer Lea Kissner has departed the social media giant.
Kissner announced the move in a tweet on Thursday, saying they made the “hard decision” to leave Twitter, but did not say for what reason they resigned. Elon Musk completed a $44 billion takeover of Twitter two weeks ago, resulting in layoffs affecting more than half of the company and the departure of senior executives, including CEO Parag Agrawal, general counsel Sean Edgett, and legal policy chief Vijaya Gadde.
News of Kissner’s departure was first reported by Casey Newton. Twitter’s chief compliance officer and chief privacy officer also resigned on Wednesday, Newton said.
It’s not immediately clear who is responsible for Twitter’s day-to-day security operations following Kissner’s departure. A spokesperson for Twitter did not immediately respond to a request for comment.
I’ve made the hard decision to leave Twitter. I’ve had the opportunity to work with amazing people and I’m so proud of the privacy, security, and IT teams and the work we’ve done.
I’m looking forward to figuring out what’s next, starting with my reviews for @USENIXSecurity ?
— Lea Kissner (@LeaKissner) November 10, 2022
Kissner, who previously served as Twitter’s head of privacy engineering, was appointed Twitter’s chief information security officer (CISO) in January 2022 following the departure of security head Peiter “Mudge” Zatko and then-CISO Rinki Sethi. Mudge went on to blow the whistle to federal regulators claiming security mismanagement and lax access controls that put users’ data at risk.
Twitter is currently under a 2011 agreement with the Federal Trade Commission which accused Twitter of cybersecurity failings that allowed cybercriminals to access internal systems and user data. The decree mandates that Twitter “establish and maintain a comprehensive information security program” to be audited every decade. It’s not clear how Twitter maintains that compliance with the FTC without a company security lead in place. One employee said in a company Slack that it was for Twitter engineers to “self-certify” compliance with the FTC.
Earlier this year, Twitter was fined $150 million for violating that 2011 consent decree for misusing email addresses and phone numbers provided by users to set up two-factor authentication for targeted advertising.