Two months on however, and with no payment received, the pen test outfit contacted the firm’s CEO. This action had dire consequences for the CISO.
“About two months of calls, nothing. The testing company were pretty annoyed at being ignored. They reached out to the CEO, to give them a mouthful and he was a really sound guy.
“He apologized, told them they couldn't take them on due to prior contracts, paid them, and sacked the guy (the CISO) on the spot as he hadn’t reported the findings to his seniors.”
However, while it’s perhaps unsurprising that clashes with senior management are often cited for CISO departures, the long-held view that they should be fired for a breach remains contentious.
SANS Institute’s Eric Cole touched on this recently on Twitter: “Let's clear the air, having a compromise is not a bad thing; If a CISO is negligent they should be fired, but not because a compromise occurs.”
This, clearly, is up for debate. A December 2014 study from NTT Com Security revealed that senior execs thought information security was, in layman’s term, ‘someone’s else’s problem’, while a Raytheon study revealed that 70 percent of security pros at the eCrime Congress in London thought that CEOs should take the blame. Only 13 percent of those polled thought it should be the CISO.
Sacked CISOs tell all
Two CISOs who were dismissed described the experience of being fired, and the lessons they learned.
One CISO, who previously worked in the UK financial services sector, says that his dismissal was ultimately came down to “a difference of opinion” between him and the CIO.
“The information security budget was part of the overall IT budget, and the CIO had to make cost reductions. While information security still had to show savings in the budget, this increased risk in certain areas.”
He continued that, having explained the potential damages to senior management, the CIO took a nasty turn. “The CIO did not like this, although agreed that the business should be responsible, which was a case of do as I say not as I do.”
He says that he felt he handled the departure well, but believes he learned a lot from the experience. “It is best not to report directly into technology, and have your budget controlled by the CIO, who is under pressure to show aggressive costs savings. Also businesses leaders do not like to hear the truth or have transparency, even if they publicly state that.”
Unfortunately, this tale is similar elsewhere. A head of infosec at a managed service provider also cites difficulties with the IT team, with this eventually paving the way for his own exit.
Sign up for Computerworld eNewsletters.