[ethbr0]

The problem with the classic "burn the CEO" knee-jerk is that it only leads to security theater.

CEO hires CISO. CISO makes a big splash, and spends a ton of time getting the business certified in various ways, to prove to CEO stuff is being done.

In reality, security remains atrocious at the tactical level, and the company hemorrhages security talent because no one wants to work for clueless assholes.

Ultimately, eventually, breach still happens, CISO falls on their sword, but is fine because they and CEO always knew this is what they were really being hired to do and compensation was engineered around that expectation.

--

What actually works is a gentle, gradual pressure to move to a better security posture (e.g. vaulted credentials, separate security domains, etc.), implemented over time as opportunity allows, preventing new vulnerabilities from being introduced by targeting development processes, and financially incentivizing developers throughout the company to report issues when they find them.