Home / Blog / Heads will Roll… Really? And Should They?

Heads will Roll… Really? And Should They?

Posted on

In an article dated February 29th,  2016 CYBERCOM Chief Mike Rogers “…warned that more corporate heads will roll as companies continue to overlook security holes.”  (Link) The article goes on to describe how Adm. Rogers “grew up in a culture of personal responsibility for failure. When a ship experiences “an issue,” the “commanding officer has ultimate accountability,” he said. “It doesn’t matter if it was the middle of the night and that skipper had been up 30 hours working hard . . . ultimately accountability resides in the individual.” The article sites a series of major security failures over the past 24 or so months where “C level” employees have lost their jobs or been forced into a resignation .

Let’s explore whether a CEO, CISO or otherwise should be fired or “fall on his sword” when a Cyber Incident occurs?

First of all and for full disclosure, I grew up Navy and was in the Navy myself. I full understand and comprehend where the Admiral is coming from when he is talking about full accountability in command. I am for full accountability and am also a person that himself has offered my resignation in situations and accepts the professional accountability when failures occur. Back to the Navy though, if you have not been around, read up on or studied the situations that have resulted in many a commander being relieved of command, you would not understand the full ramifications of what the Admiral is saying. What the Admiral has stated is an absolute. It is very, very rare that a commander who has had a failure in his or her command not to be relieved and or reassigned, with a permanent black mark on the record. In many cases, the Navy has lost some fine officers as a result.

Should a firing or otherwise dismissal be this absolute?

Let’s look at the OPM hack as an example. If you are not familiar with the situation, the Office of Personnel Management (OPM – basically HR for the federal government) was hacked by a nation state “Advanced Persistent Threat” (APT). The hack targeted the security clearances of (depending upon the report you read) 30 million plus records. The APT that took the data had every dirty little secret on every person employed by the federal government that had applied for a security clearance. I listened to the entirety of the congressional hearings on this OPM hack last summer out of interest in how informed our nations leaders were on cyber security and how the whole affair would be handled. Donna Seymour was the CIO at OPM at the time (resigned in February 2016). In fact, at the time of the hack, she had been employed with the organization less than a year, not even a complete budget cycle. Yet, because of the hack alone, before the full ramifications of the breach were understood (at the time it was maybe 4million records hacked) and during the congressional hearings, congressmen were asking for her to be fired (some of the kinder comments were asking her to step down). And these comments and questions were raised “on the record” in the congressional hearings.

What bothers me about this situation is that the calls for a firing or resignation were nothing more than a call for an immediate beheading. The congressional leadership did not take into account the fact that maybe she had identified problems in her short tenure and had already had project plans in place to fix them (she later testified she did). They did not take into account budget or other bureaucratic red tape and restrictions, and they certainly did not take into account the attackers capabilities though they stated the need to go into classified meetings on the matter. They failed to take into account, before asking for a firing, that there was a much more powerful force at play here than a couple of script kiddies having fun. They did not take into account anything, except that a hack occurred and someone needed to pay and pay now! That knee jerk reaction is what any C level employee should be deeply concerned about. That knee jerk reaction, without understanding of the facts and situation is what every American consumer should be concerned about. If heads roll so frivolously, there won’t be anyone stepping up to lead.

The article also mentions the C level employees that are no longer employed at Sony or Target. Sony is another example of an APT, but in that case it is also a clear example, after an investigation, of a complete failure. Warnings were given. Security professionals were ignored. The budget was more a concern than a balanced security approach. Target, again, another example of a situation where warnings were given and nothing done about the situation. In that case, a trusted vendor detected issues and the warnings and alerts were not acted upon in a timely manner. In both of these cases, certainly heads should have rolled. In the case of Sony, it goes all the way to the top. But in the case of Target, how can you blame a CEO or even a CISO that had spent the dollars, complied with PCI and at some lower level process was not followed?

I am sympathetic and understand Admiral Rogers assertion that heads, especially the CEO’s head, needs to roll in situations. I diverge from his opinion that this should occur as a default, blanket response to the situation. I have never fully agreed with or understood the concept that a Captain is fully responsible for the actions of those on his ship. I have seen many a good man go down and careers ruined because of the mistake of a junior level sailor that was incompetent and assigned to the ship or even weather conditions that completely make a situation out of control. In the cyber security arena today, “weather conditions,” or APT’s are completely uncontrollable and minimally defensible at the corporate and maybe even federal government level, especially as you get below the “Fortune 500’s.” There is no way that a small, mom and pop company can stand up to the technological prowess of the best of the best of the People’s Liberation Army or the NSA. And yet, those types of companies are the Achilles heal of many a large company they are doing business with. I would like to ask the Admiral, who in his command took responsibility for that junior level employee that walked off with the keys to the NSA kingdom, the guy named Edward Snowden? Did the commander take responsibility for that? We certainly do not know the inner workings of that agency, but press reports are that Gen Alexander made the choice to retire and that Obama refused his resignation from the NSA after the Snowden affair. And Gen Alexander certainly landed on his feat with a new cyber security firm an seven figure contracts within months of walking away from the NSA. Neither have we seen Snowden’s actual employer get more than a hand slap. They continue to be a prime contractor for the intel business. The company that did his BI (and that of the Navy Yard shooter) has taken a little more heat, but certainly not enough.

What all of this boils down to is that before a head can roll, a common sense approach of a thorough and swift investigation and understanding of the facts of the situation needs to occur first. Once that is complete, then proper common sense corrective action should take place, without a doubt. But a rush to blame and an immediate blame on the CEO or CISO is not the way to go. If you are a decision maker that has to deal with this situation, and many of you will in your career, think carefully about who is best suited to solve the problem? The guy that knows your systems and sees the faults or the new guy that is going to have a year or so to put under his belt before he has a good assessment of the problem? What is the most common sense and secure approach to fixing your immediate issue?