In a way is this not an appropriate response for multiple breaches? If I was CSO and my company was plagued by breaches that came about because of my lack of oversight when it was my job I’d fully expect to be fired.
I don’t believe a single incident is equivalent in this case to what happened to the MAX platform, to much has gone wrong
Untrue (in general). The CSO is frequently given lots of budget and authority. Having talked to some of the big bank executive teams, they have thousands of employees and hundreds of M$ budgets with wide latitude to enforce restrictions. It is just that the best commercial cybersecurity processes and “best practices” are useless against professional attackers with even minimal budgets and staff.
Any technically competent CSO knows they are totally screwed even if they implement everything feasible perfectly (i.e. no inane solution like shutting down the whole company). It is not a problem of resources or commitment (though you could also have those problems), it is a problem of impossibility due to the incompetence of commercial IT cybersecurity processes.
The only way to survive in a environment where you literally can not do what you were ostensibly hired to do is to lie and take the fall. The only other alternative is being too stupid to realize you are screwed, but every bank cybersecurity executive team I’ve ever met knew that someone could go in and steal all of their documents for less than 1 million dollars (you could also change things, but the out of band cross-checking makes that hard without intimate knowledge of the specific financial checks, more a question of knowing how banks work than hacking, the 1 M$ gives you full access rights, but you need to be careful not the drive the tank through the wall of the general’s office).
Banking and financial services average 8.1% of revenue on IT Spending. Industries like industrial manufacturing, food and beverage, retail, and energy average 1.2% - 1.9%.
Many security leaders (CISOs or otherwise) do not have the budget or authority to meet their board's or CEO's expectations, but it may be outside your sample of big banks.
I'm otherwise aligned with your comment. The successful CISOs I've interacted with, regardless of industry, educate their leadership team on the trade-offs and risks of investment levels, set realistic response and recovery times expectations based on those investments, and turn it into a business decision, rather than promising the impossible.
I said CISOs are uniformly incompetent at cybersecurity. No matter how many resources they are provided they are uniformly incapable of delivering security acceptable to the business customers, shareholders, and stakeholders.
There are exactly zero universes in which it is acceptable for a bank to be thoroughly compromised for 1 M$. If they wrote the truth in their advertising and investor documents there would be calls for blood. It is the job of the security organization to make sure the CEO is not aware of the truth so that the CEO can continue safely making statements palatable to the stakeholders.
This is not a problem that can be solved by the current actors through increased resources, effort, or focus. They have demonstrated they are incapable of achieving minimally acceptable outcomes across the entire range in every field. There are no gold standards to point to, no paragons to emulate, just piles of crap littering the wasteland. Meaningful security will not be attained until we throw away all of the commercial IT garbage and build things on the various high robustness systems designed and verified to protect against professional and state actors.
Back in the day there were moderate bounties offered ($100s) for finding security holes. It was far more cost effective than organized security review and testing.
I get the sentiment, but I much prefer this to the alternative, which is rank and file employees getting laid off. It’s much better to have accountability that starts at the top and then trickles down. Too often it feels like workers are the only ones who suffer from the bad decisions of executive leadership.
I don't think the rank-and-file are out of the woods yet. As far as this specific departure, he was a VP of the 737MAX program and for 2.x years at that. I presume there are equivalents for the rest of the 737 line and then for the 777, 787, etc. This does not even touch the rest of Boeing. Yes, he's a large fish but I don't see him as one of the truly big fishes. FWIW, I am not for or against this guy, I have no idea if he's part of the solution or prolonging the problem.
Completely off topic, but I always wondered what was so special about Deep Space 9's USS Defiant and its "ablative armour". Sure, it was a plot device, but everyone who encountered it seemed astounded by it.
I think it is important to note the Federation previously wasn’t in the business of building warships. They are so technically advanced, they didn’t need them.
As a friend of mine put it:
Everyone’s best warships are in a dead heat with a luxury liner full of nerds that happens to have guns on it.
Starfleet ships didn’t need armor. Their materials science was already so advanced, they had to use structural integrity and dampening fields to push beyond what existing physical materials could accomplish.
So when they roll out an actual warship using physical armor plating, it is an incredible advancement in materials beyond “simple” energy-reinforced hulls.
Alternatively, it’s really boring technology but the idea of a Starfleet warship is so new they are salivating over things everyone else has been using for centuries. It’s like giving a tank to a soccer mom and telling her to have fun in traffic.
Also off topic, but your comment "It's like giving a tank to a soccer mom and telling her to have fun in traffic" reminds me of the 1995 San Diego Tank Rampage where a guy stole a tank from a Nat'l Guard base and took it on the freeway.
Instead of expending energy to deflect energy weapons fire, the ablative armor undergoes controlled ablation so the outer layers of the armor vaporize or erode when struck by weapon fire, taking the brunt of the attack's energy. This meant that the "total energy" available to defend the ship wasn't limited by the ship's power but by the starbase assembling the ship and the armor could survive a lot more malfunction and battle damage (the shields became completely useless once they burned out). Until the introduction of the armor everyone thought that physical defenses couldn't be used effectively against energy weapons.
Voyager's ablative generator also provided regenerative capability so it didn't need a space dock to repair heavy damage.
Exactly what I was thinking (but much less cleverly worded). We KNOW these issues are the result of pressure from the top to maximize profit despite pushback from engineers.
I don't even understand how he could be expected to turn around such a complex beast of manufacturing that has been mismanaged for so long in under 2 years. It just isn't possible even if you burn both ends of the candle.