Splunk: Don't make CISOs scapegoats for data breaches

Monzy Merza says security is everybody's problem

Data encryption

CISOs and CIOs do not deserve to be fired for data breaches, according to the head of security at analytics firm Splunk.

Instead, chief security evangelist Monzy Merza believes data security is everybody's responsibility, warning that making scapegoats out of security experts damages morale.

He told IT Pro: "When the CISO is fired, what do you think this does to the security team? Firing their leadership is not a way to maintain talent and morale on that team.

Advertisement - Article continues below

"These guys defend things day in, day out and something gets through, for any number of reasons. I'm not saying everyone's an angel and they all do perfect jobs, but maybe they have organisational constraints."

Recent data breaches have seen CIOs, CISOs and CEOs leave their companies in the aftermaths, as media scrutiny ramps up and revelations about the hacks stream out over the following weeks and months.

High profile examples include a suspected Chinese hack which exposed the details of millions of US government employees and their families from the Office of Personnel Management (OPM) over the summer.

Just yesterday the department admitted that the hackers also got away with 5.6 million employees' fingerprints, but the division's former director, Katherine Archuleta, resigned in July over the incident, faced with growing pressure from politicians.

Advertisement - Article continues below

Noel Biderman, ex-CEO of infidelity dating site Ashley Madison, also resigned last month over a breach of 33 million users' details.

Advertisement - Article continues below

And CIO Beth Jacob last year quit US retailer Target - a Splunk customer - over a hack that focused on its point-of-sales systems in 2013.

Security is everybody's concern

But Splunk's Merza argued that security is not only the responsibility of the security team, but the entire organisation, and people should not idolise their security team as if it does something incomprehensible to them.

He said: "We have to look at it in a broader sense. Where it works really well is where organisations don't make security teams these high gods, and they work together so if there's a vulnerability that's discovered, they work together to try and figure that out."

Using the example of Apache web log data, he argued that piece of information is important to the entire company - security may find evidence of a SQL injection attack in there, IT can look at it and see how well transactions are running on their servers, and analytics or finance can see what people are buying.

Advertisement - Article continues below

"It's about how do we look at that information, and really it's going to come from understanding the value that's there and we keep coming at it from different ways," Merza said.

"Thereis this notion that we are all responsible for the success of our business, of our mission.If we all take ownership of that, part of maintaining that is to say we're going to operate in a secure fashion and we're going to take action and be responsible."




Cyber security experts form COVID-19 taskforce to combat ransomware attacks

3 Apr 2020
cyber security

Hackers torn over how to adapt their tactics to the coronavirus pandemic

3 Apr 2020
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
flexible working

Why we’re lucky COVID-19 has come now

3 Apr 2020