Splunk: Don't make CISOs scapegoats for data breaches

Data encryption

CISOs and CIOs do not deserve to be fired for data breaches, according to the head of security at analytics firm Splunk.

Instead, chief security evangelist Monzy Merza believes data security is everybody's responsibility, warning that making scapegoats out of security experts damages morale.

He told IT Pro: "When the CISO is fired, what do you think this does to the security team? Firing their leadership is not a way to maintain talent and morale on that team.

"These guys defend things day in, day out and something gets through, for any number of reasons. I'm not saying everyone's an angel and they all do perfect jobs, but maybe they have organisational constraints."

Recent data breaches have seen CIOs, CISOs and CEOs leave their companies in the aftermaths, as media scrutiny ramps up and revelations about the hacks stream out over the following weeks and months.

High profile examples include a suspected Chinese hack which exposed the details of millions of US government employees and their families from the Office of Personnel Management (OPM) over the summer.

Just yesterday the department admitted that the hackers also got away with 5.6 million employees' fingerprints, but the division's former director, Katherine Archuleta, resigned in July over the incident, faced with growing pressure from politicians.

Noel Biderman, ex-CEO of infidelity dating site Ashley Madison, also resigned last month over a breach of 33 million users' details.

And CIO Beth Jacob last year quit US retailer Target - a Splunk customer - over a hack that focused on its point-of-sales systems in 2013.

Security is everybody's concern

But Splunk's Merza argued that security is not only the responsibility of the security team, but the entire organisation, and people should not idolise their security team as if it does something incomprehensible to them.

He said: "We have to look at it in a broader sense. Where it works really well is where organisations don't make security teams these high gods, and they work together so if there's a vulnerability that's discovered, they work together to try and figure that out."

Using the example of Apache web log data, he argued that piece of information is important to the entire company - security may find evidence of a SQL injection attack in there, IT can look at it and see how well transactions are running on their servers, and analytics or finance can see what people are buying.

"It's about how do we look at that information, and really it's going to come from understanding the value that's there and we keep coming at it from different ways," Merza said.

"Thereis this notion that we are all responsible for the success of our business, of our mission.If we all take ownership of that, part of maintaining that is to say we're going to operate in a secure fashion and we're going to take action and be responsible."