[Ancalagon]

In a way is this not an appropriate response for multiple breaches? If I was CSO and my company was plagued by breaches that came about because of my lack of oversight when it was my job I’d fully expect to be fired.

I don’t believe a single incident is equivalent in this case to what happened to the MAX platform, to much has gone wrong

[bombcar]

The usual problem is that the CSO is given things to do, no budget, and no authority.

Which, again, if you go in open-eyed can be fine.

[Veserv]

Untrue (in general). The CSO is frequently given lots of budget and authority. Having talked to some of the big bank executive teams, they have thousands of employees and hundreds of M$ budgets with wide latitude to enforce restrictions. It is just that the best commercial cybersecurity processes and “best practices” are useless against professional attackers with even minimal budgets and staff.

Any technically competent CSO knows they are totally screwed even if they implement everything feasible perfectly (i.e. no inane solution like shutting down the whole company). It is not a problem of resources or commitment (though you could also have those problems), it is a problem of impossibility due to the incompetence of commercial IT cybersecurity processes.

The only way to survive in a environment where you literally can not do what you were ostensibly hired to do is to lie and take the fall. The only other alternative is being too stupid to realize you are screwed, but every bank cybersecurity executive team I’ve ever met knew that someone could go in and steal all of their documents for less than 1 million dollars (you could also change things, but the out of band cross-checking makes that hard without intimate knowledge of the specific financial checks, more a question of knowing how banks work than hacking, the 1 M$ gives you full access rights, but you need to be careful not the drive the tank through the wall of the general’s office).

[bdunks]

Banking and financial services average 8.1% of revenue on IT Spending. Industries like industrial manufacturing, food and beverage, retail, and energy average 1.2% - 1.9%.

Many security leaders (CISOs or otherwise) do not have the budget or authority to meet their board's or CEO's expectations, but it may be outside your sample of big banks.

I'm otherwise aligned with your comment. The successful CISOs I've interacted with, regardless of industry, educate their leadership team on the trade-offs and risks of investment levels, set realistic response and recovery times expectations based on those investments, and turn it into a business decision, rather than promising the impossible.

[Veserv]

You are not aligned at all with my comment.

I said CISOs are uniformly incompetent at cybersecurity. No matter how many resources they are provided they are uniformly incapable of delivering security acceptable to the business customers, shareholders, and stakeholders.

There are exactly zero universes in which it is acceptable for a bank to be thoroughly compromised for 1 M$. If they wrote the truth in their advertising and investor documents there would be calls for blood. It is the job of the security organization to make sure the CEO is not aware of the truth so that the CEO can continue safely making statements palatable to the stakeholders.

This is not a problem that can be solved by the current actors through increased resources, effort, or focus. They have demonstrated they are incapable of achieving minimally acceptable outcomes across the entire range in every field. There are no gold standards to point to, no paragons to emulate, just piles of crap littering the wasteland. Meaningful security will not be attained until we throw away all of the commercial IT garbage and build things on the various high robustness systems designed and verified to protect against professional and state actors.

[illiac786]

This changed a lot in my perception. Security teams have now more authority — and it's driving everyone else nuts.

[dave333]

Back in the day there were moderate bounties offered ($100s) for finding security holes. It was far more cost effective than organized security review and testing.