jeremy rowley has been C level at digi cert for over 7 years and is/was CISO. if anyone should have a completely overview of the entire system. it’s him
* Does replacing the CISO actually make the system more secure? Presumably he had a lot of tribal knowledge built-up and who is going to know the system better than him?
* As systems get more and more complex, it's likely impossible for a single individual to truly understand and prevent these types of situations 100% of the time. It seems that any application that needs to be 100% secure (if that is even possible) has to be provably secure in a strict mathematical sense, which goes beyond individual culpability.
* Does shooting the person accountable actually encourage responsible disclosure or discourage it?
Does replacing the CISO actually make the system more secure?
Counterintuitively, probably yes. Tone flows from the top down, and if you want to change the tone you need to start at the top. It's very difficult to try and build a coalition to change the system from underneath.
Presumably he had a lot of tribal knowledge built-up and who is going to know the system better than him?
Likely he has a lot of political influence and knowledge of the system and for lasting change all of that has to go. If it has gotten that bad it's no good and needs to be swept away.
But it would also make the system more insecure since reporting failures means dismissals. At the end, DigiCert self reported the issue they were having. Without that, other operators would be blind to this flaw.
This one C level individual failed to do the most important part of the job, which is to build the team of people who have shared knowledge to understand and prevent these issues 100% of the time.
According to his LinkedIn he joined DigiCert as a lawyer. This is an organizational failure of DigiCert's leadership to put a non-technical person in the CISO role.
Enough companies are looking for their CISO to be an attorney, or to also be an attorney, because you spend a lot of your time threading through laws, contracts, policies, company risks, and parter risks, etc.
Much of it at that level is NOT architecture and software discussions. You wouldn't think the job would be similar to lead counsel, but unfortunately a majority of a certain company's risk now a days is in that area.
And this guy is the gold standard for accountability based on these comments. Whoever pressured him to resign I think is making a mistake.
Bugs happen, and he's doing exactly what's expected of a leader in this situation. Anyone who thinks "this incident is personally my fault because I didn't read every line of code the devs who work for me wrote, and for this dishonor I am now unfit to lead" is a sane reaction to these events is not living the blameless postmortem life.
Last I looked, a CISO's tenure was only 3-5 years (I'm being generous) because the stress is incredible and you end up being responsible to every other CxO in the company.
You have much power, but little as well because every department claims security is the reason their projects are delayed - or if they move quickly and there is an issue, they point back at CISO.
It's always the way. The people with honour tend to hold themselves to a high standard, and step back when they find they do not meet it. Their replacements are either the same in this regard, or they're not.
Captains used to go down with their ships. In most organisations, this is no longer the case, because we lost all the captains willing to do so, without replacement.
Resigning when you fail to prevent an incident rarely helps, directly. But it's not something the power-hungry do, unless forced (and if they expect to be forced, they will try to cover things up). It rarely fails to win my respect. As a move in a social game, I suspect that the general strategy "resign when an unacceptable failure has occurred" makes things better, overall, even if it doesn't directly benefit the organisation you're leaving. (I'm not sure whether this applies when you don't expect that your replacement feels the same way about duty.)
accountability at the top is a good thing