SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow5743
On Friday, Equifax announced that two top executives would be retiring in the aftermath of the company's massive security breach that affected 143 million Americans.
According to a press release, the company said that its Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin, would be leaving the company immediately and were being replaced by internal staff. Mark Rohrwasser, who has lead Equifax's international IT operations, is the company's new interim CIO. Russ Ayres, who had been a vice president for IT at Equifax, has been named as the company's new interim CSO.
The notorious breach was accomplished by exploiting a Web application vulnerability that had been patched in early March 2017.
However, the company's Friday statement also noted for the first time that Equifax did not actually apply the patch to address the Apache Struts vulnerability (CVE-2017-5638) until after the breach was discovered on July 29, 2017.
Source: https://arstechnica.com/tech-policy/2017/09/equifax-cio-cso-retire-in-wake-of-huge-security-breach/
(Score: 2) by arslan on Tuesday September 19 2017, @04:38AM (1 child)
I disagree. Yes they are too way up in the hierarchy to be directly held responsible, but they are responsible for setting the risk culture of the organization. There's scarce details around what the root cause is that caused single server to be missed. If it is truly an exception then it is really a matter of bad luck. If it is due to poor risk culture set by the leaders, then they are to blame.
I've worked in organizations where good architecture and cyber security recommendations often time gets trumped by tech owners because it gets in the way of them delivering "value" to their business users. The IT leaders are responsible for these kind of culture or operating model.
Just because they issued the "order" doesn't mean they're not accountable if they've fostered a culture where folks can "dispensate" or get away with non-compliance.
Again not saying that's the case with equifax since there's scarce details on the internals and you don't normally get that level of disclosure in the public press. The only way to know is to talk to folks that have worked in the organization.
(Score: 1, Troll) by frojack on Wednesday September 20 2017, @06:52PM
You can't even define "risk culture" let alone make it an actionable item.
How many servers to you think this company had? I'm betting THOUSANDS.
Apparently they all got taken care of, or were at least not breached. Clearly everybody cared, or feared for their jobs enough to see that this patch got applied. One sysadmin, perhaps over worked, perhaps out sick, missed this machine. That's hardly a risk culture.
Being in business is a risk. Its the perfect definition of risk. Disasters befall every business now and then. Sometimes people get killed. Sometimes entire companies are wiped out. This situation does not rise to that. Those affected accounts get flagged for free credit monitoring for a few years. Equifax can afford it.
No, you are mistaken. I've always had this sig.