[PakG1]

I'd revise that from "if a breach happens" to "if a breach happens and the CSO demonstrated criminal negligence." The attack surface for security is too large, and it's not fair to hold a CSO of a cafe chain to such a standard when zero-days are also possible. Punish for being negligent, not for being attacked by a zero-day, or something else really obscure.

[Kerrick]

What if the CSO ignored bug reports about this for a full 8 months? Would that make it negligent?

[tptacek]

What if the CSO informed engineering teams, got stonewalled, and, a few weeks later, escalated through the company's risk process (Panera is public, or was before it was bought by a public company, and will have a risk process). What do people here think a CSO does? If your mental model is: "decree that something is safe to deploy publicly, or else forbid its deployment", your model is broken. Most CSOs have an advisory role in the organization, and the real institutional power comes either from engineering or from the CIO.

This security director handled Dylan's bug report badly and deserves the reputation hit he's getting. But if we're going to suggest liability (let alone criminal liability) for security flaws, we should at least have some idea of what it is we're regulating.

[smileysteve]

Pull the plug.

The final "stick" and reason for a C in the title is the responsibility to shut down the data (and website) until such a point it can be secured.

It's should be considered more of a fiduciary duty (protect shareholders, customers) to protect data as making the right investment or HR decisions.

[tptacek]

"Pulling the plug" is almost never a capability provided to a company security team.

[tedunangst]

What happens when the CIO plugs it back in?

[smileysteve]

The CIO then accepts full liability.

[benmmurphy]

If we were running under the liability model the CSO's final option would be to resign which sucks. But he is basically in the same situation that any employee is who is being forced to do something that is clearly illegal. But, I guess that is a good argument for why liability might not work because you end up not having a security team or you put good people into legal dilemmas that they shouldn't have to deal with.

[PakG1]

For example (issue may or may not have been legal, but point is the guy resigned): https://arstechnica.com/tech-policy/2016/10/report-fbi-andor...

[notyourday]

Which is why we need jail time for execs.

It is very simple: with big $$ there should be a big risk.

[bradleybuda]

Yes