[kjs3]

I'm a security executive. I'm keenly aware that my CISO, my peers and I are basically one bad day away from being scapegoated and put to the torch. It's an occupational hazard so pervasive it doesn't usually effect getting your next job. So one thing I make abundantly clear to my superiors and peers is I will not lie to people who can put me in jail under any circumstance. In practice, this has (rarely) caused friction but no one has seriously pressured me to change my stance.

[0xa2]

Do what is right, regardless of incentives, culture, etc. I couldn't agree more. But the mishandling of the breach is indicative of failures at multiple layers, not just security. And I am not sure how his indictment fixes much.

[kjs3]

That's a good point. There's an old Italian saying: "A fish rots from the head". It seems clear that executive management said "find a way to cover this up", and the CISO made every effort to do so.