JPMorgan’s CSO Jim Cummings was re-assigned a year after a breach which saw 83 million records compromised on the back of a social engineering campaign. The bank’s CISO Greg Rattray was asked to leave his position and take up the global cyber partnerships and government strategy.
But these are rare examples and more often than not it’s the senior business executives that take the fall. 40 million credit card details lost (and over 100 million data records compromised) saw Target lose its CIO and CEO after its breach in late 2013 (although the retailer did appoint its first CISO), while the 2007 breach at apparel retailer TJX saw a director and senior vice president jump ship. In the UK, TalkTalk’s Dido Harding hung onto her job after last year’s breach which saw 157,000 records compromised, including the financial details of 15,000 customers.
While this may surprise some, it could be argued that this comes down to accountability, reporting lines and security maturity. For example, if the CISO reports to IT, the CIO could take the fall, while other stakeholders might push board members to leave the sinking ship.
Brian Honan, managing director of BH Consulting, says that it’s also hard to gauge of a CISO has been fired - or simply found another job.
“CISOs move so much today it is hard to know if they jumped or [if] they were pushed - especially in the absence of any public information on breaches.”
Why CISOs get fired
There may be no record of CISOs being given the boot but - in my discussions with a number of CISOs, CIO and other InfoSec experts - it is clear that this happens on a fairly regular basis.
CISOs could depart for their organization suffering a damaging breach, but could leave too in the event of failing to spot or report a bug, poor purchasing decisions or because of disagreements with senior management.
One head of information governance, previously working in the US media sector, tells me that there were two occasions she saw her CISO asked to leave. Both dismissals, she said, “mostly centered about [an] inability to address risk to a satisfactory state and in an economical manner.”
Other sources, speaking to me anonymously, recall occasions where their firm’s CISO was dismissed for poor reporting, exceeding their budget, not following business strategies or even spreading FUD (Fear, Uncertainty and Doubt) - rather than delivering practical solutions to these same problems. It was, as one CIO remarked, a case of the CISO “talking the talk, but not walking the walk.”
A UK-based penetration tester recalls another example where a fellow pen tester found various flaws in a client’s IT infrastructure (allowing him to remotely take over the web server) and reported these to the CISO, who promised him £4,000 in return for disclosing the vulnerability.
Sign up for Computerworld eNewsletters.