Stories
Slash Boxes
Comments

SoylentNews is people

Equifax CIO, CSO “Retire” in Wake of Huge Security Breach

posted by Fnord666 on Monday September 18 2017, @09:41AM   Printer-friendly
from the retired-or-fired dept.

MrPlow writes:

Submitted via IRC for SoyCow5743

On Friday, Equifax announced that two top executives would be retiring in the aftermath of the company's massive security breach that affected 143 million Americans.

According to a press release, the company said that its Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin, would be leaving the company immediately and were being replaced by internal staff. Mark Rohrwasser, who has lead Equifax's international IT operations, is the company's new interim CIO. Russ Ayres, who had been a vice president for IT at Equifax, has been named as the company's new interim CSO.

The notorious breach was accomplished by exploiting a Web application vulnerability that had been patched in early March 2017.

However, the company's Friday statement also noted for the first time that Equifax did not actually apply the patch to address the Apache Struts vulnerability (CVE-2017-5638) until after the breach was discovered on July 29, 2017.

Source: https://arstechnica.com/tech-policy/2017/09/equifax-cio-cso-retire-in-wake-of-huge-security-breach/

Also at https://www.bleepingcomputer.com/news/security/equifax-releases-new-information-about-security-breach-as-top-execs-step-down/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Equifax CIO, CSO “Retire” in Wake of Huge Security Breach | Log In/Create an Account | Top | 47 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by arslan on Tuesday September 19 2017, @04:48AM (2 children)

    by arslan (3462) on Tuesday September 19 2017, @04:48AM (#570069)

    That's one way to look at it. The other could be why did that one server got missed? Are we sure it is just one just because one was discovered and exploited? Maybe there's more unknown servers in their network. Maybe they've fostered a risk culture such that documentation of their assets into their asset register are not strict because documentation is an overhead that gets in the way of delivering "value"?

    How do you say for certain that the above is not the case? Documentation is always an after thought, I've seen it so many times. The CxOs are definitely on the hook for any corporate culture they set including any culture/practice that indirectly affects their risk management like ensuring their discipline in maintaining their knowledge base, key person dependencies, workforce skillset, etc.

    Even small things like always "stretching" your employee so they can deliver more bang for the buck but not looking at the implications from the risk aspect (i.e. they make mistakes, they bring work home and risk data leakage, etc.). Maybe this "minion" as you put it were overworked because that is the corporate culture.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by frojack on Wednesday September 20 2017, @06:58PM (1 child)

    by frojack (1554) on Wednesday September 20 2017, @06:58PM (#570783) Journal

    There you go with that "risk culture" nonsense again.

    You haven't got a point here. Sorry. All business is risk.

    All the paper pushing bean counters in the world can't avoid risk. Its part of business.

    --
    No, you are mistaken. I've always had this sig.

    • (Score: 2) by arslan on Thursday September 21 2017, @12:15AM

      by arslan (3462) on Thursday September 21 2017, @12:15AM (#570920)

      Nobody's saying you can avoid risk, but how an organization overall deals with it is not a binary thing. The top leadership are accountable on how they want the rest of the leadership chain down react to risk (as in how it affects their decision making).

      If a mid level IT manager decides that patching is low priority because he wants his project to be deployed first so he can score brownie points with his business sponsor because that is his main KPI set from the top and decides to postpone the patching, then they are potentially taking a very bad position on managing risk. The risk doesn't go away to your point - and this isn't about that. Why does the IT manager behave that way? Is this a lone-wolf cowboy thing, or is it a typical thing across the organization? Surely the top leaders are accountable to set the risk culture because they are they ones that decide on the KPI model.

      Another scenario, which is not so direct, is a culture where the top leaders foster an environment where minions are always stretched to work 10 hours a day continuously till they burn out and fat fingering is par for the course. This isn't "directly" related to risk culture, but it does setup a culture where mid level IT managers gets the mandate to whip their workforce and create an environment where there's high degree of mistakes and indirectly create a poor cyber risk environment.

      I've been in organization where I've experienced both the above. If shit were to happen I wouldn't be blaming the minion like you suggested.