jdreyer wrote on Oct 5, 2017, 02:02:Cutter wrote on Oct 4, 2017, 15:30:
Just think, a scant 60 years ago Truman made popular "the buck stops here" as a motto for personal responsibility. And whilst those at the top continue to espouse such sentiments, 'take responsibility, take ownership, etc.' it's all fine and dandy until the very moment it applies to them, and all of a sudden it's Sgt. Schulz from Hogan's Heros, "I know nothing!"
Oh, no. That CEO took the blame, and he resigned. He also took the $90M severance package.
Cutter wrote on Oct 4, 2017, 15:30:
Just think, a scant 60 years ago Truman made popular "the buck stops here" as a motto for personal responsibility. And whilst those at the top continue to espouse such sentiments, 'take responsibility, take ownership, etc.' it's all fine and dandy until the very moment it applies to them, and all of a sudden it's Sgt. Schulz from Hogan's Heros, "I know nothing!"
mixma242 wrote on Oct 4, 2017, 14:28:Beamer wrote on Oct 4, 2017, 13:40:Bumpy wrote on Oct 4, 2017, 13:07:
Guess what Mr. CEO finger pointer, you are in charge and responsible for that 'one' person.
In fairness, a software update is something no one should expect a CEO to pay any attention to. It's mundane and not worth his time.
(Snip)
If your CEO is paying attention to system upgrades, you hired the wrong CEO. He shouldn't have any understanding of that. Those skills don't make for a good CEO.
Look, no one expects a CEO to be technical. But relying on an individual to perform a mission critical task with no oversight is amateur hour and is a failure of due diligence. There should be an entire process where a change is written, there is peer review, change is performed, and there is post change testing.
Yes, the CEO has a responsibility to make sure that is happening. That is part of his job. He doesn't write the process but he must maintain oversight of those to whom he delegates it to.
This isn't a new or obscure idea. I myself have worked from within that framework for over 15 years, three large multinational corporations, and the Department of Defense. There are entire books written about it, as well as international standards. That a large corporation like Equifax would fail at this is shocking. Their business is literally handling personal identification information.
Don't let them off easy. This is not the failure of just some IT dude. Their system failed to catch this.
mixma242 wrote on Oct 4, 2017, 12:45:
At the moment I am studying for the CISSP (Certified Information Systems Security Professional). The CISSP is a high level security cert, and here is a direct quote:
"Security governance is not and should not be treated as an IT issue only. Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. Security is a business operations issue. Security is an organizational process, not just something the IT geeks do behind the scenes."
It goes on to emphasize that senior management must be engaged in business security and that they have the ultimate responsibility, not the IT department.
This dude received compensation in the tens of millions, yet apparently didn't understand how a critical part of his company operated. To me this is a clear failure of due care. This CEO should man up and take responsibility. You get paid crazy money for a reason.
mixma242 wrote on Oct 4, 2017, 12:45:
At the moment I am studying for the CISSP (Certified Information Systems Security Professional). The CISSP is a high level security cert, and here is a direct quote:
"Security governance is not and should not be treated as an IT issue only. Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. Security is a business operations issue. Security is an organizational process, not just something the IT geeks do behind the scenes."
It goes on to emphasize that senior management must be engaged in business security and that they have the ultimate responsibility, not the IT department.
Beamer wrote on Oct 4, 2017, 13:40:Bumpy wrote on Oct 4, 2017, 13:07:
Guess what Mr. CEO finger pointer, you are in charge and responsible for that 'one' person.
In fairness, a software update is something no one should expect a CEO to pay any attention to. It's mundane and not worth his time.
(Snip)
If your CEO is paying attention to system upgrades, you hired the wrong CEO. He shouldn't have any understanding of that. Those skills don't make for a good CEO.
Bumpy wrote on Oct 4, 2017, 13:07:
Guess what Mr. CEO finger pointer, you are in charge and responsible for that 'one' person.
Pigeon wrote on Oct 4, 2017, 09:59:
‘As CEO I am responsible for what happens on my watch; out of my thousands of employees I failed to notice THAT GUY! *points to random schmuck eating a sandwich* didn’t do his job. One idiot screwing everything up, you can’t regulate that, or hold me or the company responsible in anyway, there’s absolutely nothing we could have done, so case closed, no need to dig into the company’s security habits or question why we’re allowed to collect so much personal information, cause it was all THAT GUY’S fault.’
Well the sacrificial goat has been offered let's see if the government eats it.