Lyft's CISO exits as company embraces Silicon Valley trend of embedded security

Dive Brief:

Lyft CISO Mike Johnson announced "with a heavy heart" his departure from the rideshare company in a LinkedIn post on Tuesday. His official last day was Friday, the day of his resignation.
Johnson joined Lyft as its first CISO in August 2017 and left the role after 18 months. He leaves the security team he helped build "and the accomplishments we've pulled off together."
Lyft did not confirm its intentions of onboarding a new security executive to fill Johnson's absence. However, Johnson's resignation comes when the rideshare company is exploring distributed responsibilities.

Dive Insight:

Lyft is moving to an embedded, distributed security model used by other Silicon Valley companies.

This move is bucking established work models, but has been done recently by Facebook.

Facebook's former CSO Alex Stamos announced his departure from the social network in August and the day after the company disclosed the involvement of malicious actors' political influence campaigns on the network.

Stamos left the role without a replacement in place as the social network intended to dissolve its formal security organization in favor of embedding security engineers, analysts and investigators, a Facebook spokesperson told The Verge at the time.

During the height of data privacy watchdogs, eliminating the chief security role is a pivot from industry expectations. Having a formal title with a named head creates synergy among security efforts and public reassurance that companies value security.

"Security and privacy remain top priorities for Lyft and our customers," according to an emailed statement from Lyft to CIO Dive. Notably, Lyft's predominant competitor, Uber, has a CISO and chief privacy officer, which the company named in January.