In-depth

Splunk: Don't make CISOs scapegoats for data breaches

Monzy Merza says security is everybody's problem

Data encryption

CISOs and CIOs do not deserve to be fired for data breaches, according to the head of security at analytics firm Splunk.

Instead, chief security evangelist Monzy Merza believes data security is everybody's responsibility, warning that making scapegoats out of security experts damages morale.

He told IT Pro: "When the CISO is fired, what do you think this does to the security team? Firing their leadership is not a way to maintain talent and morale on that team.

"These guys defend things day in, day out and something gets through, for any number of reasons. I'm not saying everyone's an angel and they all do perfect jobs, but maybe they have organisational constraints."

Recent data breaches have seen CIOs, CISOs and CEOs leave their companies in the aftermaths, as media scrutiny ramps up and revelations about the hacks stream out over the following weeks and months.

High profile examples include a suspected Chinese hack which exposed the details of millions of US government employees and their families from the Office of Personnel Management (OPM) over the summer.

Just yesterday the department admitted that the hackers also got away with 5.6 million employees' fingerprints, but the division's former director, Katherine Archuleta, resigned in July over the incident, faced with growing pressure from politicians.

Noel Biderman, ex-CEO of infidelity dating site Ashley Madison, also resigned last month over a breach of 33 million users' details.

And CIO Beth Jacob last year quit US retailer Target - a Splunk customer - over a hack that focused on its point-of-sales systems in 2013.

Security is everybody's concern

But Splunk's Merza argued that security is not only the responsibility of the security team, but the entire organisation, and people should not idolise their security team as if it does something incomprehensible to them.

He said: "We have to look at it in a broader sense. Where it works really well is where organisations don't make security teams these high gods, and they work together so if there's a vulnerability that's discovered, they work together to try and figure that out."

Using the example of Apache web log data, he argued that piece of information is important to the entire company - security may find evidence of a SQL injection attack in there, IT can look at it and see how well transactions are running on their servers, and analytics or finance can see what people are buying.

"It's about how do we look at that information, and really it's going to come from understanding the value that's there and we keep coming at it from different ways," Merza said.

"Thereis this notion that we are all responsible for the success of our business, of our mission.If we all take ownership of that, part of maintaining that is to say we're going to operate in a secure fashion and we're going to take action and be responsible."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020
Windows Server flaw sparks emergency US gov warning
vulnerability

Windows Server flaw sparks emergency US gov warning

21 Sep 2020
How to protect against a DDoS attack
Security

How to protect against a DDoS attack

17 Sep 2020
'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020

Most Popular

Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020