SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow5743
On Friday, Equifax announced that two top executives would be retiring in the aftermath of the company's massive security breach that affected 143 million Americans.
According to a press release, the company said that its Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin, would be leaving the company immediately and were being replaced by internal staff. Mark Rohrwasser, who has lead Equifax's international IT operations, is the company's new interim CIO. Russ Ayres, who had been a vice president for IT at Equifax, has been named as the company's new interim CSO.
The notorious breach was accomplished by exploiting a Web application vulnerability that had been patched in early March 2017.
However, the company's Friday statement also noted for the first time that Equifax did not actually apply the patch to address the Apache Struts vulnerability (CVE-2017-5638) until after the breach was discovered on July 29, 2017.
Source: https://arstechnica.com/tech-policy/2017/09/equifax-cio-cso-retire-in-wake-of-huge-security-breach/
(Score: 4, Insightful) by bradley13 on Monday September 18 2017, @11:44AM (14 children)
...not normally this badly.
I think this is an excellent reason to discuss the concept of professional liability. Obviously, in the first instance, the company is liable for the damages done. However, at what point should individual people be on the hook? I'm not (necessarily) suggesting that individual coders should carry any liability (although professional engineers often do). However, certainly at the level of CxO, I do believe personal liability is appropriate.
In a case as severe as this (and as a bare minimum), any bonuses earned for the past X years should be forfeit. Because they were clearly undeserved: creating an environment in which a severe security issue could go unpatched for so long is *precisely* the fault of the CIO and CSO. Being allowed to retire, while retaining full benefits and all past bonuses, is just wrong.
If we were dreaming, how could this problem be solved? What about a practice of paying all bonuses into an escrow account, and only releasing each year's bonus if X years pass with no major problems in the person's area of responsibility? Other suggestions? How far down the food chain does personal responsibility go?
Everyone is somebody else's weirdo.
(Score: 1, Interesting) by Anonymous Coward on Monday September 18 2017, @11:53AM (3 children)
Shouldn't Equifax just go bankrupt from lawsuits and fines from mishandling PII? Then there would be no money/benefits to give the executives.
(Score: 5, Insightful) by bradley13 on Monday September 18 2017, @12:00PM (2 children)
"Shouldn't Equifax just go bankrupt from lawsuits and fines from mishandling PII? Then there would be no money/benefits to give the executives."
CxO types take care of each other. Bet that they already have the bonuses, and I wouldn't be surprised if they have vested (i.e. fully-funded) pensions, probably unlike the rest of the Equifax employees.
Ah, stocks, that may hang some of them. It appears that some of the top-level execs were trying to sell their stocks before the SHTF. Which is called insider trading, and jail terms would be well-deserved pour le encourage les autres.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Monday September 18 2017, @07:52PM
Claw back. [zerohedge.com]
(Score: 1, Redundant) by frojack on Wednesday September 20 2017, @07:27PM
ALL the top level execs and board members sell their bonus stock routinely.
They have their portfolio manager sell on a schedule that doesn't change. The exec is hands off of his own-company stock.
Every change requires another federal form be filled out.
Every scheduled sale requires a federal form.
http://www.investopedia.com/articles/stocks/05/042605.asp [investopedia.com]
It goes without saying that the FTC looks into this every time there is an "event" at any company. It goes without saying that the press jumps on this without even
bothering to check with the FTC, because they know its automatic.
99.99% of the time nothing is found that is not routine and pre-scheduled.
99.999% of the time some fools screams INSIDER TRADING.
No, you are mistaken. I've always had this sig.
(Score: 4, Insightful) by Anonymous Coward on Monday September 18 2017, @12:07PM
All the way down, but it should always start from the very top. Most often, someone at the bottom just takes the blame.
It should be, the CEO gets the blame, takes the responsibility, but if he can show his reports were doing an improper job then he can move part of the blame to them. Only part, because he is still responsible for hiring/promoting them, for checking and verifying they do a proper job, ...
It doesn't work in the other direction, if an employee tells: we should do X because of this thing Y, and his superior says no, the employee can't fire his boss.
(Score: 3, Insightful) by FakeBeldin on Monday September 18 2017, @12:40PM (1 child)
The argument that I've often heard touted justifying CxO's enormous financial rewards is that their jobs comes with "more risks".
If they're not personally liable, what justification is there left?
"Because otherwise we can't hire a good person for the job"?
If you're not applying that argument to the actual workers, why should it apply to the jobs with golden parachutes?
(Score: 2, Interesting) by Anonymous Coward on Monday September 18 2017, @03:58PM
Ummm, yeah. About that. A recent study shows an inverse correlation between CEO pay and performance. [cooleypubco.com] Have board members at various companies seen this study? Probably. Will they act on it? [Snort] Hell no!!!
The answer will be left as an exercise for the reader.
(Score: 1, Informative) by Anonymous Coward on Monday September 18 2017, @02:54PM (2 children)
The "LLC" means "Limited Liability Company", which means the suits can't be personally liable for ANY problems legal or otherwise with Equifax business practices.
(Score: 2, Insightful) by Anonymous Coward on Monday September 18 2017, @03:11PM
Which is why "we the people" should take justice into our own hands. These scumbags, should be doxxed, then gutted and left to bleed out slowly and painfully. This day is coming soon. Hopefully, I will live to see it.
(Score: 2) by Whoever on Tuesday September 19 2017, @02:06AM
LLC status protects owners, not employees. They may still be liable in their position as employees.
(Score: 2) by frojack on Monday September 18 2017, @10:55PM (3 children)
Maybe read the linked articles before rushing judgement.
They knew about the vulnerability and the patch.
They ordered all the servers to be patched.
All the other servers were patched
This one got missed.
This one server got hacked.
Clearly someone fucked up.
But it wasn't the fault of either of these two people.
They got canned because someone had to get canned. They signed up knowing there was always a risk one low level minion could bring their world crashing down by ill intent, or by simply assuming some other team member took care of this server.
There is no way you can spin that into personal liability for the CIO/CSO. There is no way they should lose their retirement because some snotnosed agile developer failed to add this server to the list running Struts.
No, you are mistaken. I've always had this sig.
(Score: 2) by arslan on Tuesday September 19 2017, @04:48AM (2 children)
That's one way to look at it. The other could be why did that one server got missed? Are we sure it is just one just because one was discovered and exploited? Maybe there's more unknown servers in their network. Maybe they've fostered a risk culture such that documentation of their assets into their asset register are not strict because documentation is an overhead that gets in the way of delivering "value"?
How do you say for certain that the above is not the case? Documentation is always an after thought, I've seen it so many times. The CxOs are definitely on the hook for any corporate culture they set including any culture/practice that indirectly affects their risk management like ensuring their discipline in maintaining their knowledge base, key person dependencies, workforce skillset, etc.
Even small things like always "stretching" your employee so they can deliver more bang for the buck but not looking at the implications from the risk aspect (i.e. they make mistakes, they bring work home and risk data leakage, etc.). Maybe this "minion" as you put it were overworked because that is the corporate culture.
(Score: 2) by frojack on Wednesday September 20 2017, @06:58PM (1 child)
There you go with that "risk culture" nonsense again.
You haven't got a point here. Sorry. All business is risk.
All the paper pushing bean counters in the world can't avoid risk. Its part of business.
No, you are mistaken. I've always had this sig.
(Score: 2) by arslan on Thursday September 21 2017, @12:15AM
Nobody's saying you can avoid risk, but how an organization overall deals with it is not a binary thing. The top leadership are accountable on how they want the rest of the leadership chain down react to risk (as in how it affects their decision making).
If a mid level IT manager decides that patching is low priority because he wants his project to be deployed first so he can score brownie points with his business sponsor because that is his main KPI set from the top and decides to postpone the patching, then they are potentially taking a very bad position on managing risk. The risk doesn't go away to your point - and this isn't about that. Why does the IT manager behave that way? Is this a lone-wolf cowboy thing, or is it a typical thing across the organization? Surely the top leaders are accountable to set the risk culture because they are they ones that decide on the KPI model.
Another scenario, which is not so direct, is a culture where the top leaders foster an environment where minions are always stretched to work 10 hours a day continuously till they burn out and fat fingering is par for the course. This isn't "directly" related to risk culture, but it does setup a culture where mid level IT managers gets the mandate to whip their workforce and create an environment where there's high degree of mistakes and indirectly create a poor cyber risk environment.
I've been in organization where I've experienced both the above. If shit were to happen I wouldn't be blaming the minion like you suggested.