jdreyer wrote on Oct 5, 2017, 02:02:

Oh, no. That CEO took the blame, and he resigned. He also took the $90M severance package.

That's one helluva golden parachute.

jdreyer wrote on Oct 5, 2017, 02:02:

Cutter wrote on Oct 4, 2017, 15:30:
Just think, a scant 60 years ago Truman made popular "the buck stops here" as a motto for personal responsibility. And whilst those at the top continue to espouse such sentiments, 'take responsibility, take ownership, etc.' it's all fine and dandy until the very moment it applies to them, and all of a sudden it's Sgt. Schulz from Hogan's Heros, "I know nothing!"

Oh, no. That CEO took the blame, and he resigned. He also took the $90M severance package.

He retired with the package. He most likely will not keep it.

Cutter wrote on Oct 4, 2017, 15:30:
Just think, a scant 60 years ago Truman made popular "the buck stops here" as a motto for personal responsibility. And whilst those at the top continue to espouse such sentiments, 'take responsibility, take ownership, etc.' it's all fine and dandy until the very moment it applies to them, and all of a sudden it's Sgt. Schulz from Hogan's Heros, "I know nothing!"

Oh, no. That CEO took the blame, and he resigned. He also took the $90M severance package.

mixma242 wrote on Oct 4, 2017, 14:28:

Beamer wrote on Oct 4, 2017, 13:40:

Bumpy wrote on Oct 4, 2017, 13:07:
Guess what Mr. CEO finger pointer, you are in charge and responsible for that 'one' person.

In fairness, a software update is something no one should expect a CEO to pay any attention to. It's mundane and not worth his time.

(Snip)

If your CEO is paying attention to system upgrades, you hired the wrong CEO. He shouldn't have any understanding of that. Those skills don't make for a good CEO.

Look, no one expects a CEO to be technical. But relying on an individual to perform a mission critical task with no oversight is amateur hour and is a failure of due diligence. There should be an entire process where a change is written, there is peer review, change is performed, and there is post change testing.

Yes, the CEO has a responsibility to make sure that is happening. That is part of his job. He doesn't write the process but he must maintain oversight of those to whom he delegates it to.

This isn't a new or obscure idea. I myself have worked from within that framework for over 15 years, three large multinational corporations, and the Department of Defense. There are entire books written about it, as well as international standards. That a large corporation like Equifax would fail at this is shocking. Their business is literally handling personal identification information.

Don't let them off easy. This is not the failure of just some IT dude. Their system failed to catch this.

I said he deserved to be fired.
But this will never change. I know we have a lot of sys admin types here, but that stuff is liter below the ceo level. He can't know every time there's an update. He just can't. His cio must. And if the cio thinks it was applied, there's no way for the ceo to verify this. Unlike things that definitely hit the balance sheet.

So yes, he needed to be fired. But he wasn't in a good position to check up on this, and no ceo ever will. This was a fairly routine it function, and while a CEO bears responsibility for a major breach, they'll never be even remotely involved in routine it maintenance. Much like if the cafeteria isn't hygienic enough and poisons the staff he gets fired but he won't be involved in that part of the business, either.

You're acting as if I said it was the one dude who bore the responsibility. Read what I said about the cio.

Just think, a scant 60 years ago Truman made popular "the buck stops here" as a motto for personal responsibility. And whilst those at the top continue to espouse such sentiments, 'take responsibility, take ownership, etc.' it's all fine and dandy until the very moment it applies to them, and all of a sudden it's Sgt. Schulz from Hogan's Heros, "I know nothing!"

eRe4s3r wrote on Oct 4, 2017, 12:44:
How is this company even still legally allowed to operate.... corruption?

The government recently awarded them a 7 million no-bid contract, within the past couple weeks here, so it would appear so.

I bet it was the same guy who installed all those cheat devices in every Volkswagen/Audi/Porsche diesels, huh? That bastard!

Someone please set the former Equifax CEO (and CIO) on fire. Then post video of it.

Good luck on the test,
- Steelcamp, CISSP since 2010

mixma242 wrote on Oct 4, 2017, 12:45:
At the moment I am studying for the CISSP (Certified Information Systems Security Professional). The CISSP is a high level security cert, and here is a direct quote:

"Security governance is not and should not be treated as an IT issue only. Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. Security is a business operations issue. Security is an organizational process, not just something the IT geeks do behind the scenes."

It goes on to emphasize that senior management must be engaged in business security and that they have the ultimate responsibility, not the IT department.

This dude received compensation in the tens of millions, yet apparently didn't understand how a critical part of his company operated. To me this is a clear failure of due care. This CEO should man up and take responsibility. You get paid crazy money for a reason.

mixma242 wrote on Oct 4, 2017, 12:45:
At the moment I am studying for the CISSP (Certified Information Systems Security Professional). The CISSP is a high level security cert, and here is a direct quote:

"Security governance is not and should not be treated as an IT issue only. Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. Security is a business operations issue. Security is an organizational process, not just something the IT geeks do behind the scenes."

It goes on to emphasize that senior management must be engaged in business security and that they have the ultimate responsibility, not the IT department.

Agree 100%. Sadly, this still seems to utterly baffle 99.99% of all corporate users out there.

Beamer wrote on Oct 4, 2017, 13:40:

Bumpy wrote on Oct 4, 2017, 13:07:
Guess what Mr. CEO finger pointer, you are in charge and responsible for that 'one' person.

In fairness, a software update is something no one should expect a CEO to pay any attention to. It's mundane and not worth his time.

(Snip)

If your CEO is paying attention to system upgrades, you hired the wrong CEO. He shouldn't have any understanding of that. Those skills don't make for a good CEO.

Look, no one expects a CEO to be technical. But relying on an individual to perform a mission critical task with no oversight is amateur hour and is a failure of due diligence. There should be an entire process where a change is written, there is peer review, change is performed, and there is post change testing.

Yes, the CEO has a responsibility to make sure that is happening. That is part of his job. He doesn't write the process but he must maintain oversight of those to whom he delegates it to.

This isn't a new or obscure idea. I myself have worked from within that framework for over 15 years, three large multinational corporations, and the Department of Defense. There are entire books written about it, as well as international standards. That a large corporation like Equifax would fail at this is shocking. Their business is literally handling personal identification information.

Don't let them off easy. This is not the failure of just some IT dude. Their system failed to catch this.

Bumpy wrote on Oct 4, 2017, 13:07:
Guess what Mr. CEO finger pointer, you are in charge and responsible for that 'one' person.

In fairness, a software update is something no one should expect a CEO to pay any attention to. It's mundane and not worth his time. But the CTO/CIO needs to, and the CEO is where the buck stops, so he was rightfully fired.

But other than the CIO saying in an executive meeting "we did it," there's no reason to expect a CEO to know more. If your CEO is paying attention to system upgrades, you hired the wrong CEO. He shouldn't have any understanding of that. Those skills don't make for a good CEO.

Guess what Mr. CEO finger pointer, you are in charge and responsible for that 'one' person.

At the moment I am studying for the CISSP (Certified Information Systems Security Professional). The CISSP is a high level security cert, and here is a direct quote:

"Security governance is not and should not be treated as an IT issue only. Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. Security is a business operations issue. Security is an organizational process, not just something the IT geeks do behind the scenes."

It goes on to emphasize that senior management must be engaged in business security and that they have the ultimate responsibility, not the IT department.

This dude received compensation in the tens of millions, yet apparently didn't understand how a critical part of his company operated. To me this is a clear failure of due care. This CEO should man up and take responsibility. You get paid crazy money for a reason.

How is this company even still legally allowed to operate.... corruption?

Fall guy found. crisis averted

Pigeon wrote on Oct 4, 2017, 09:59:
‘As CEO I am responsible for what happens on my watch; out of my thousands of employees I failed to notice THAT GUY! *points to random schmuck eating a sandwich* didn’t do his job. One idiot screwing everything up, you can’t regulate that, or hold me or the company responsible in anyway, there’s absolutely nothing we could have done, so case closed, no need to dig into the company’s security habits or question why we’re allowed to collect so much personal information, cause it was all THAT GUY’S fault.’

Well the sacrificial goat has been offered let's see if the government eats it.

Government- "Good enough for me"
*begins lynching*

‘As CEO I am responsible for what happens on my watch; out of my thousands of employees I failed to notice THAT GUY! *points to random schmuck eating a sandwich* didn’t do his job. One idiot screwing everything up, you can’t regulate that, or hold me or the company responsible in anyway, there’s absolutely nothing we could have done, so case closed, no need to dig into the company’s security habits or question why we’re allowed to collect so much personal information, cause it was all THAT GUY’S fault.’

Well the sacrificial goat has been offered let's see if the government eats it.