Incredibly unfair, the character assassinations are totally uncalled for. The infosec community has a real problem with tearing each other apart. So much so, that journalists now also think it's okay.
* Just a reminder, they were tearing into the CISO for having a liberal arts degree (as if college degrees actually prepared you for anything..).
Totally agree here: blame the company and the leadership for not investing in the right processes and tools. People will always make mistakes.
Blame the people at the company who didn't make sure the right processes and tools were in place? It seems like while CTO made the error, he was also responsible for making sure he wouldn't be able to make such an error.
He failed at doing his job as a CTO and then failed at being a moderately competent entry level software engineer.
So you don't think it's newsworthy that the most sensitive financial info held for every American was supposed to be secured by someone with no security background?
People's lives were destroyed by that breach. It wasn't a victimless mistake. The public wanted to know how it happened, and hiring the wrong person is part of how it happened.
I think it's unfair. A single person doesn't bear the whole responsibility of a breach like Equifax's. The breach is just the final symptom of deeper problems with company leadership & policy allowed to fester by ineffective public oversight and bad incentives. The witch hunt will change nothing and absent policy, it will probably happen again because the specific people were never the problem.
A single person is not "the leadership". Blaming just corporate leadership is also unproductive; if incentives and lack of oversight encourage this outcome, punishing and replacing the leadership is just playing musical chairs. Saying "the buck stops with them" is pretty useless unless your goal is simply to declare a target for emotional rage.
Isn't the (nominal) reason the people at the top get paid so much is because they're supposed to take responsibility? If not them, then who? They're supposed to set the incentives and culture so that the people below them in the org chart do the right thing. It's their job to know that their suppliers aren't using sweatshop labor to produce their goods. It's their job to make sure managers don't lean on the rank and file so much as to incentivize fraudulent behavior (but the managers would never outright say to do these things, oh no). "Don't ask, don't tell" isn't an excuse. And if the greater environment is such that "everybody does it", well maybe we need better regulations and/or policies, but that still does not absolve them individually.
The people at the top might not be at fault, but they sure as hell are responsible.
Hold the company responsible and let its stakeholders and internal processes figure out how to course correct. Maybe the CEO or CTO or whatever screwed up and need to go, or maybe it was a rare accident that is only human; given the right incentives & punishments, companies will work to identify and fix whatever is causing it to be punished as part of its profit maximization goals. All orgs of that kind of size operate as complex systems, inviting uninformed mob pitchforks into the process is counterproductive.
No, I don't think people at the top get paid to be a voodoo doll of responsibility. They get paid a lot because good executives are hard to find and can produce huge benefits, so the market values them very highly. It can feel good to throw around moral judgement like "that still does not absolve them individually" but if a set of incentives/environments consistently produce bad outcomes, the people involved are not responsible. It would be unproductive to punish the people involved when their replacement would do the same (especially considering that punishment is notoriously less effective at deterring human behavior). I personally think it is also morally wrong to do so, similar to punishing a thief for stealing food in a system that consistently deprives him of the ability to acquire food legitimately.
Well gee, in this framework it seems like there is no way for anyone to ever be negligent or liable for anything they do, no matter how ill-considered.
The very few leaders are paid enormously in money and status for all the value they are supposedly adding, if they screw these things up why should the hit they take not also be expensive?
