7 security incidents that cost CISOs their jobs
- 13 January, 2020 09:00
CISOs can leave their job for any number of reasons, but a breach or other security incident often hastens their departure.
According to Radware’s 2018 State of Web Application Security report, 23 per cent of companies reported executive firings related to application attacks.
US companies were more likely to say execs were let go after an incident, as were companies in the technology or financial services sectors.
While the CISO is not always let go -- Kaspersky reports that senior non-IT employees are laid off at 27% of enterprises (those with over 1,000 employees) that suffer a breach – their positions can often be at risk if there were clear security failures.
A Nominet survey of over 400 CISOs in the US and UK conducted by Osterman Research found that 6.8 per cent of CISOs in the US and 10 per cent in UK believed that in the event of a breach they would lose their job. Just under 30 per cent of survey respondents believed they would get an official warning.
Here are seven major security incidents that cost security leaders their jobs in recent years. Take them for the learning opportunity that they are.
1. Capital One
In July 2019 Capital One announced an attacker had gained access to the personal information of over 100 million customers. The bank learned of the attack months after the fact thanks to a tip-off from a security researcher.
The suspected attacker, a former Amazon employee, reportedly took advantage of a misconfigured firewall. The company has said it expects the incident to cost it between $100 million and $150 million -- mainly for customer notifications, credit monitoring and legal support -- in 2019 alone.
In November the Wall Street Journal reported that Capital One had replaced Michael Johnson, the firm's CISO since 2017, with the company’s CIO, Mike Eason, while it looks for a full-time replacement.
Johnson continues at Capital One as an advisor focused on helping direct the bank’s response to the data breach.
In 2017 Equifax was compromised via an unpatched consumer complaint web portal. This led to some 143 million customer records – including names, addresses, dates of birth, Social Security numbers and driver license numbers – being stolen.
As well as a lack of patching, the attack went undetected for months due to the company’s failure to update a certificate on an internal security tools.
The company then failed to publicise the breach for over a month after discovery. The US House of Representatives Committee on Oversight and Government Reform called the incident “entirely preventable,” while US Senate Permanent Subcommittee on Investigations accused the company of a “neglect of cyber security.”
The aftermath handling was also poor. The company’s social media team sent out the wrong URL for handling the incident, while the dedicated site itself was poorly secured.
To compound matters, Jun Ying, CIO of Equifax U.S. Information Solutions was jailed for four months and fined $55,000 for insider trading in the wake of the breach but before the company had made the incident public.
The cost of the incident is estimated to be $1.35 billion. The company paid $575 million (potentially rising to $700 million) with the Federal Trade Commission and others.
The company then admitted the fund set up from that settlement was due to run out because too many people opted for money rather than free credit monitoring.
Both CSO Susan Mauldin and CIO David Webb left the company in the weeks after the breach. Equifax CEO Richard Smith also retired in the wake of the breach.
Mauldin was replaced by interim CISO Russ Ayres (previously Equifax’s vice president of IT) before Jamil Farshchi took up the role permanently having previously served the role at Home Depot, Time Warner and the Los Alamos National Laboratory.
In late 2017, ride-hailing company Uber revealed the data of 57 million riders and drivers had been stolen, including names, email addresses, phone numbers and driver license numbers.
Attackers reportedly accessed Uber’s private GitHub code repository – which the company has since admitted didn’t have multi-factor authentication enabled – and used login credentials stored there to access the company’s AWS S3 instances.
While that would be bad enough, this breach had occurred over 12 months earlier and the company’s CSO Joe Sullivan was reportedly involved in a cover-up that included handing over $100,000 to the attackers — which was disguised as a bug bounty pay-out — in exchange for deleting the data without releasing it.
The news was only made public after new CEO Dara Khosrowshahi had come aboard, despite the company having previously run afoul of the FTC for failing to disclose a data breach in 2014 (before ether he or Sullivan had joined the company).
“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said in a statement announcing the breach. “I had the same question. None of this should have happened, and I will not make excuses for it.”
Sullivan, who had previously served as Facebook’s CSO for five years, was fired from Uber after two and half years at the company as a result. He has since joined Cloudflare as the company’s CSO.
Not all CSOs leave because of specific incidents. Alex Stamos, Facebook’s CSO since 2015, left after three years in charge of security at the company to take a position at Stanford University after reportedly disagreeing with the company’s handling of the Cambridge Analytica scandal.
Stamos apparently favoured a more open and direct response in disclosing what the company knew rather than slow and reluctant admission. He later told MSNBC that it was a “big mistake” that the company wasn’t more forthcoming about the severity of the incident.
“Nobody lied, and nobody covered anything up,” he said, “but I feel like the initial way that these things were communicated really set the bar of whether or not a company was going to be seen as part of the solution or part of the problem. Facebook didn’t take that opportunity to say, ‘we’re part of the solution.'”
Stamos has since said that Facebook CEO Mark Zuckerberg has too much power at the company and should stand aside. Previously he had resigned from Yahoo! after the company built a tool for US intelligence officials that could scan users’ Yahoo Mail email accounts.
The social media company announced that it would not be replacing Stamos and instead had embedded its security engineers, analysts, investigators and other specialists into its product and engineering teams to “better address the emerging security threats” the company faces.
The 2014 attack on US retailer Target is still spoken about today because it was one of the most notable cases of a successful supply chain attack — hackers exploited poor security in an HVAC vendor to compromise Target’s payment systems and steal the payment details of some 40 million customers attack over the Christmas period in 2013.
CIO Beth Jacob left Target in the months following the attack as the company overhauled its security posture and appointed its first CISO, former GE CISO Brad Maiorino, shortly afterwards. Jacob has since gone on to have roles at supply chain management provider SPS Commerce and Tivity Health.
As often happens in high profile attacks, Target CEO Gregg Steinhafel resigned from all his positions in the months following the breach (though the company’s failed expansion in Canada was reportedly also a factor).
Other CEOs to leave in the wake of cyber security incidents include Sony CEO Amy Pascal and Austrian aerospace firm FACC’s CEO Walter Stephan following a successful BEC scam.
6. JP Morgan
2015 saw both JPMorgan Chase's CSO Jim Cummings and CISO Greg Rattray reassigned to new positions within the bank in the wake of its 2014 breach of over 83 million accounts in the US, including names, email and postal addresses and phone numbers.
Cummings was reportedly reassigned to work on military and veterans housing initiatives for the bank. Rattray was made head of global cyber partnerships and government strategy and replaced as CISO by former Lockheed Martin security executive Roham Amin.
7. San Francisco State University
In 2015 Mignon Hoffman, information security officer at San Francisco State University, was reportedly fired for what she viewed as an attempt to sweep a 2014 breach of student records “under the rug.”
She sued for wrongful termination and whistleblower retaliation, seeking over $1 million in lost pension, lost earnings (past and future) and emotional distress.
In 2014 Hoffman was informed by an outside party of a vulnerability in a university Oracle application server. Information listed as compromised in court documents include “data on current and past students, financial aid, financial transactions, accounts receivables and interfaces to housing as well as campus wide account management and password reset function.”
She alleged that previously recommended improvements to the Oracle database security were rejected by her superiors due to budget constraints and IT security risk acceptances, and in the wake of the incident the interim CIO didn’t want to report a security breach “on his watch” and sought to “avoid reporting supporting information that might lead to a breach disclosure.”
The university confirms there was a security incident in which information that was publicly available was potentially accessed. Because it claims there was no breach of personal data, students were not notified as the university felt students had no reason to be concerned about their personal information.
The university denied her termination was related the security incident. The case was later settled out of court.
If you keep your job, incidents can be good
While an incident might leave some CISOs fearing for their jobs, the opposite may be true and that it may have benefits to both your career and personal health.
A study by Goldsmiths University of London and Symantec surveyed over 3,000 security decision makers across France, Germany and the UK and found that going through a data breach can have a positive effect.
Around a quarter (26 per cent) of respondents had experienced a breach, and they were much less likely to be stressed about issues around their job. Reported feelings of burnout among those surveyed was almost half (23 per cent) in the group that had experienced a breach compared to those that hadn’t (47 per cent).
Just 14 per cent of this group feel sharing information about an incident that took place on their watch will negatively impact their career, compared to 18 per cent of people who haven’t suffered a breach.
The percentage of those who feared being dismissed as a result of an incident was also much lower among those that had already been through breaches: 19 per cent to 28 per cent.
A similar study by Optiv Security found that the majority (58 per cent t) of the 200 UK and US CISOs it surveyed felt that that experiencing a data breach makes them more attractive to potential employers.
Only six per cent of CISOs in the Optiv study say they did not stay with the company through the recovery period after a breach.
“Cyber security professionals who have witnessed an attack first-hand should be applauded, not vilified,” says Ewen O’Brien, VP of enterprise, EMEA at BitSight.
“They should feel confident that their experience can help their organisations be better prepared for the future. Their experiences -- and the knowledge they’ve gained from those experiences -- can be used to bolster security performance management and create a formidable front against potential threats.”
Incidents can be a learning experience
Instead of worrying about being fired after an incident, CISOs should focus on how to learn from mistakes and where to improve. “I was a chief information security officer when things like the ILOVEYOU virus and things like this we're going on,” says Dr. Steve Purser, head of core operations at ENISA.
“The big lessons, even in those days, was how do you communicate successfully when you're under pressure? How do you concentrate on the right things, exchange the right information, and make sure that you are doing things in a prioritised order?”
Purser was a CISO at a number of financial institutions from the early 90s until he joined ENISA in December 2008. When asked whether a breach on someone's CV would make them more employable, he says it would depend on how they used their experiences going forward.
“I would dig into what they learned from the experience,” he explains. “The difference between a good security manager and a bad security manager is how you ensure that you don't make the same mistakes all over again.”
“Just going through a breach doesn't necessarily say anything,” Purser continues. “Analysing it, understanding what went wrong, taking proactive measures to ensure that it doesn't happen again, and demonstrating a learning process. That's something which I think is extremely valuable. That's what I would try to assess in any recruitment exercise.”
Likewise, organisations may think they’ve learned plenty from going through an incident, but the proof is often in the pudding of implementing changes while the experience is still fresh and people are focused.
“If they actually took the time to analyse what went wrong and really learn from it, then company should feel stronger because obviously, they've learned something out of the process,” says Purser.
“Where it becomes problematic is, of course, if you really don't learn anything out of it. it all depends on the company's ability to analyse itself, to take the thing apart, and to define corrective measures, to revamp procedures, technology, tools, etc. so that they're better prepared the next time.”
“In my past experience where companies fell down is that they did a great analysis, but new priorities got in the way,” Purser says. “The follow up and the making sure that you implement the lessons learned is obviously the key to everything.”
Simulations and information sharing are safer learning experiences
Purser adds that exercises and simulations are a useful learning opportunity for CISOs and their organisations and come with less risk than relying on actual incidents.
As part of his role at ENISA, he helps run security exercises against member states and their organisations as part of the EU’s efforts to improve the cyber security posture of the EU.
“I think simulations are essential,” he says. “They have incredibly valuable in learning about what does and what doesn't work as an operational level [during ENISA’s exercises]. It really reveals the weak points on the ground.
"What I learned early on in my career is that without exercises, you tend to have an over reliance on documents. Not enough practical experience means you don’t know where documents fall down and difficult to find out where your procedure is weak. Exercises are the key to that.”
The Symantec study found that that security professionals were more likely to discuss personal experiences with peers outside the organisation if they had gone through a breach, yet the majority feel there isn’t enough cross-industry sharing of cyber security intel.
Purser says that while there is a huge amount of tactical information — almost to the point of overload — there is a distinct lack of strategic information because of the effort involved to collect, analyse and turn into something useful for decision making.
“It's all about communication. It's about understanding what you're dealing with. It's about making sure the right information gets to the right people at the right time to solve a particular problem,” Purser says.
“You might be unfortunate enough to be caught out by a breach, but if you're clever in dealing with it and you have the presence of mind to keep a record of what went wrong, it can really teach a lot about processes and how they can be improved.”