You're fired! Does sacking the CISO make good post-breach security sense?

News by Davey Winder

A recent report revealed the extent to which organisations respond to breaches by getting rid of the CISO. Who is getting fired and is this a good way to manage a problem?

The Radware 2018 State of Web Application Security report reveals a lot about the challenges facing enterprises as they seek to maintain their security posture. Not least that 23 percent of companies in the Europe and Middle East region have sacked executives post-breach.

Focusing on global enterprises, the researchers analysed both the frequency and complexity of application-layer attacks. The key findings will probably surprise no-one in the security industry, but are a realistic reflection of the current threatscape. Some 89 percent of respondents had experienced web application or web server attacks during the past year, with the rate of the former increasing from just 12 percent last year to 50 percent this year.

The post-breach consequences make for equally sobering reading:

  • 52 percent said customers ask for compensation
  • 46 percent reported a major reputational impact
  • 35 percent experienced customer churn
  • 34 percent saw a drop in stock price
  • 31 percent had customers looking to legal recompense

At the bottom of this list, but at the top of our inquisitive radar, was the fact that some 23 percent said that they let executives go.

SC Media UK was left wondering, just who is getting fired here?

If they are in security roles, as one might logically expect, then how does this impact upon both recruitment from an industry with an acknowledged skills shortage and the short-term security posture of the enterprise itself.

Unfortunately Radware didn't have a breakdown of these sackings by role, although Mike O’Malley, vice president of strategy at Radware, did reveal to SC Media UK that such sackings are "50 percent more common in the US (27 percent) over APAC (18 percent)", with EMEA in between at 23 percent.

Interestingly, sackings vary by industry with tech leading the itchy trigger-finger pack at 34.5 percent, financial services 28 percent, retail 12 percent and manufacturing bringing up the rear on seven percent.

When it comes to the short-term risk impact on the business of post-breach sackings, O'Malley told us it depends on the severity of the breach. "If this is a broken business process, it may impact managers other than just CISO/CIO who hold direct responsibility," he said. "Regardless, the time to investigate is parallel to the time of recruitment. The larger the organisation the larger the risk without the adult in the room..."

Lillian Tsang, senior data protection and privacy consultant at Falanx Group, agreed. She said that "time and resources spent on new recruits can be an arduous and a lengthy process, and finding the right person takes time. Time that should instead be spent on lessons learnt, building and evolving procedures which an existing security team would be in a better position to advise, given the existing knowledge they have regarding the vulnerabilities of the organisation."

Where heads do roll, sometimes it can be the wrong ones, according to Adam Brown, manager of security solutions at Synopsys, who said, "If post breach the action is to fire the security chief, surely then there should be questions to the board about how they could not see this part of the organisation failing?"

Fraser Kyne, EMEA CTO at Bromium, agreed. "Organisations should only fire someone over a breach as a last resort in the instance of gross negligence," he said, adding: "Leadership can often drive culture, so if you have someone who is cutting corners, or who simply doesn’t have the skills and experience needed to run a good SOC, making way for someone that does can be the right call."

Yet, as Alex Rice, CTO of HackerOne, reminded us, "Firing executives as a symbolic public relations win shifts blame from the true root causes that ultimately need to be addressed for consumers to be protected. Be wary of any organisation that places the full blame on a single individual, even the CEO."

So, if not 'cull and replace', what should enterprises be doing post breach when it comes to the security team, and that includes the C-suite? "Rather than simply pointing the finger," Zeki Turedi, technology strategist at CrowdStrike, told us, "the business should thoroughly and carefully understand any security incident, and take the appropriate steps to remedy and stop it happening again."

Michael Madon, general manager of security awareness at Mimecast, said: "Due to the shortage of talent across the industry, dismissed CSOs will just walk into another job and the organisation will be left with the same problem."

Most security professionals would agree that learning lessons is what really counts. As Ed Williams, director EMEA for SpiderLabs at Trustwave, said, "Getting rid of the people who have gone through this seems counter-productive and not how we improve the industry..."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews