Appoint an unqualified CISO?
There’s potentially a controversial discussion here. I don’t know this Senator. I remember from the TikTok hearings I don’t actually trust too many Senators. Some seem a bit mad.
Connor Jones
It’s true that the guy didn’t hold any cybersecurity roles previously. But in smaller organisations that does absolutely fall to the IT Leader. There’s sometimes not a need, or budget, for a dedicated CISO (this is where fractional can help).
But GE and Microsoft are not exactly smaller companies. U.H. is bloody huge.
Lack of segregation and MFA, well that is insane. I know IT Leaders from smaller organisations that would lose a lot of sleep over that. I don’t know anybody who wouldn’t. They have that haunted look.
I don’t think the focus should be on resume and past history here. It’s knowledge and capability. Also perhaps corporate culture. Because to focus on anything else will just make the skills shortage worse, and do a disservice to IT Leaders doing their best.
Finally - there’s got to have been a decent sized team there. In my experience you ask any security or infrastructure folk “Where are the gaps?” they have zero hesitation in telling you, in detail…and often.
That box shouldn’t have been online.
If somebody demanded it needed to be, they write their name in their own blood on the risk register to accept the risk.